curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: curben:master
Branches Tags
curben:master
curben:2025.11.1
curben:2025.11.0
curben:2025.10.1
curben:2025.10.0
curben:2025.9.1
curben:2025.9.0
curben:2025.8.1
curben:2025.8.0
curben:2025.7.0
curben:2025.6.1
curben:2025.6.0
curben:2025.5.0
curben:2025.4.2
curben:2025.4.1
curben:2025.4.0
curben:2025.2.1
curben:2025.2.0
curben:2025.1.1
curben:2025.1.0
curben:2024.12.2
curben:2024.12.1
curben:2024.12.0
curben:2024.11.1
curben:2024.11.0
curben:2024.10.1
curben:2024.10.0
curben:2024.9.1
curben:2024.9.0
curben:2024.8.3
curben:2024.8.2
curben:2024.8.1
curben:2024.8.0
curben:2024.7.3
curben:2024.7.2
curben:2024.7.1
curben:2024.7.0
curben:2024.6.1
curben:2024.6.0
curben:2024.5.0
curben:2024.4.1
curben:2024.4.0
curben:2024.3.0
curben:2024.2.1
curben:2024.2.0
curben:2024.1.5
curben:2024.1.4
curben:2024.1.3
curben:2024.1.2
curben:2024.1.1
curben:2024.1.0
curben:2023.10.0
curben:2023.8.2
curben:2023.8.1
curben:2023.8.0
curben:2023.7.3
curben:2023.7.2
curben:2023.7.1
curben:2023.7.0
curben:2023.6.1
curben:2023.6.0
curben:2023.5.1
curben:2023.5.0
curben:2023.4.2
curben:2023.4.1
curben:2023.4.0
curben:2023.3.1
curben:2023.3.0
curben:2023.2.2
curben:2023.2.1
curben:2023.2.0
curben:2023.1.0
curben:2022.12.1
curben:2022.12.0
curben:2022.11.1
curben:2022.11.0
curben:2022.10.3
curben:2022.10.2
curben:2022.10.1
curben:2022.10.0
curben:2022.9.1
curben:2022.9.0
curben:2022.8.4
curben:2022.8.3
curben:2022.8.2
curben:2022.8.1
curben:2022.8.0
curben:2022.7.1
curben:2022.7.0
curben:2022.6.3
curben:2022.6.2
curben:2022.6.1
curben:2022.6.0
curben:2022.5.3
curben:2022.5.2
curben:2022.5.1
curben:2022.5.0
curben:2022.4.1
curben:2022.4.0
curben:2022.3.4
curben:2022.3.3
curben:2022.3.2
curben:2022.3.1
curben:2022.3.0
curben:2022.2.2
curben:2022.2.1
curben:2022.2.0
curben:2022.1.3
curben:2022.1.2
curben:2022.1.1
curben:2022.1.0
curben:2021.12.4
curben:2021.12.3
curben:2021.12.2
curben:2021.12.1
curben:2021.12.0
curben:2021.11.0
curben:2021.10.5
curben:2021.10.4
curben:2021.10.3
curben:2021.10.2
curben:2021.10.1
curben:2021.10.0
curben:2021.9.2
curben:2021.9.1
curben:2021.9.0
curben:2021.8.7
curben:2021.8.6
curben:2021.8.5
curben:2021.8.4
curben:2021.8.3
curben:2021.8.2
curben:2021.8.1
curben:2021.8.0
curben:2021.7.4
curben:2021.7.3
curben:2021.7.2
curben:2021.7.1
curben:2021.7.0
curben:2021.6.0
curben:2021.5.10
curben:2021.5.9
curben:2021.5.8
curben:2021.5.7
curben:2021.5.6
curben:2021.5.5
curben:2021.5.4
curben:2021.5.3
curben:2021.5.2
curben:2021.5.1
curben:2021.5.0
curben:2021.4.0
curben:2021.3.6
curben:2021.3.5
curben:2021.3.4
curben:2021.3.3
curben:2021.3.2
curben:2021.3.1
curben:2021.3.0
curben:2021.2.5
curben:2021.2.4
curben:2021.2.3
curben:2021.2.2
curben:2021.2.1
curben:2021.2.0
curben:2021.1.5
curben:2021.1.4
curben:2021.1.3
curben:2021.1.2
curben:2021.1.1
curben:2021.1.0
curben:2020.12.0
curben:2020.11.11
curben:2020.11.10
curben:2020.11.9
curben:2020.11.8
curben:2020.11.7
curben:2020.11.6
curben:2020.11.5
curben:2020.11.4
curben:2020.11.3
curben:2020.11.2
curben:2020.11.1
curben:2020.11.0
curben:2020.10.2
curben:2020.10.1
curben:2020.10.0
curben:2020.9.3
curben:2020.9.2
curben:2020.9.1
curben:2020.9.0
curben:2020.8.2
curben:2020.8.1
curben:2020.8.0
curben:2020.7.4
curben:2020.7.3
curben:2020.7.2
curben:2020.7.1
curben:2020.7.0
curben:2020.6.6
curben:2020.6.5
curben:2020.6.4
curben:2020.6.3
curben:2020.6.2
curben:2020.6.1
curben:2020.6.0
curben:2020.5.1
curben:2020.5.0
curben:2020.4.0
curben:2020.3.2
curben:2020.3.1
curben:2020.3.0
curben:2020.2.1
curben:2020.2.0
curben:2019.12.0
curben:2019.11.3
curben:2019.11.2
curben:2019.11.1
curben:2019.11.0
curben:2019.10.4
curben:2019.10.3
curben:2019.10.2
curben:2019.10.1
curben:2019.10.0
curben:2019.9.2
curben:2019.9.1
curben:2019.9.0
curben:2019.8.4
curben:2019.8.3
curben:2019.8.1
curben:2019.8.0
curben:2019.7.0
curben:2019.6.0
curben:2019.5.0
curben:2019.4.1
curben:2019.4.0
curben:2019.3.2
curben:2019.3.1
curben:2019.3.0
curben:2019.2.1
curben:2019.2.0
curben:2019.1.0
curben:2018.12.1
curben:2018.12.0
curben:2018.11.0
curben:2018.10.5
curben:2018.10.4
curben:2018.10.3
curben:2018.10.2
curben:2018.10.1
curben:2018.10.0
curben:2018.9.0
curben:2018.8.0
..
compare: curben:2025.6.1
Branches Tags
curben:master
curben:2025.11.1
curben:2025.11.0
curben:2025.10.1
curben:2025.10.0
curben:2025.9.1
curben:2025.9.0
curben:2025.8.1
curben:2025.8.0
curben:2025.7.0
curben:2025.6.1
curben:2025.6.0
curben:2025.5.0
curben:2025.4.2
curben:2025.4.1
curben:2025.4.0
curben:2025.2.1
curben:2025.2.0
curben:2025.1.1
curben:2025.1.0
curben:2024.12.2
curben:2024.12.1
curben:2024.12.0
curben:2024.11.1
curben:2024.11.0
curben:2024.10.1
curben:2024.10.0
curben:2024.9.1
curben:2024.9.0
curben:2024.8.3
curben:2024.8.2
curben:2024.8.1
curben:2024.8.0
curben:2024.7.3
curben:2024.7.2
curben:2024.7.1
curben:2024.7.0
curben:2024.6.1
curben:2024.6.0
curben:2024.5.0
curben:2024.4.1
curben:2024.4.0
curben:2024.3.0
curben:2024.2.1
curben:2024.2.0
curben:2024.1.5
curben:2024.1.4
curben:2024.1.3
curben:2024.1.2
curben:2024.1.1
curben:2024.1.0
curben:2023.10.0
curben:2023.8.2
curben:2023.8.1
curben:2023.8.0
curben:2023.7.3
curben:2023.7.2
curben:2023.7.1
curben:2023.7.0
curben:2023.6.1
curben:2023.6.0
curben:2023.5.1
curben:2023.5.0
curben:2023.4.2
curben:2023.4.1
curben:2023.4.0
curben:2023.3.1
curben:2023.3.0
curben:2023.2.2
curben:2023.2.1
curben:2023.2.0
curben:2023.1.0
curben:2022.12.1
curben:2022.12.0
curben:2022.11.1
curben:2022.11.0
curben:2022.10.3
curben:2022.10.2
curben:2022.10.1
curben:2022.10.0
curben:2022.9.1
curben:2022.9.0
curben:2022.8.4
curben:2022.8.3
curben:2022.8.2
curben:2022.8.1
curben:2022.8.0
curben:2022.7.1
curben:2022.7.0
curben:2022.6.3
curben:2022.6.2
curben:2022.6.1
curben:2022.6.0
curben:2022.5.3
curben:2022.5.2
curben:2022.5.1
curben:2022.5.0
curben:2022.4.1
curben:2022.4.0
curben:2022.3.4
curben:2022.3.3
curben:2022.3.2
curben:2022.3.1
curben:2022.3.0
curben:2022.2.2
curben:2022.2.1
curben:2022.2.0
curben:2022.1.3
curben:2022.1.2
curben:2022.1.1
curben:2022.1.0
curben:2021.12.4
curben:2021.12.3
curben:2021.12.2
curben:2021.12.1
curben:2021.12.0
curben:2021.11.0
curben:2021.10.5
curben:2021.10.4
curben:2021.10.3
curben:2021.10.2
curben:2021.10.1
curben:2021.10.0
curben:2021.9.2
curben:2021.9.1
curben:2021.9.0
curben:2021.8.7
curben:2021.8.6
curben:2021.8.5
curben:2021.8.4
curben:2021.8.3
curben:2021.8.2
curben:2021.8.1
curben:2021.8.0
curben:2021.7.4
curben:2021.7.3
curben:2021.7.2
curben:2021.7.1
curben:2021.7.0
curben:2021.6.0
curben:2021.5.10
curben:2021.5.9
curben:2021.5.8
curben:2021.5.7
curben:2021.5.6
curben:2021.5.5
curben:2021.5.4
curben:2021.5.3
curben:2021.5.2
curben:2021.5.1
curben:2021.5.0
curben:2021.4.0
curben:2021.3.6
curben:2021.3.5
curben:2021.3.4
curben:2021.3.3
curben:2021.3.2
curben:2021.3.1
curben:2021.3.0
curben:2021.2.5
curben:2021.2.4
curben:2021.2.3
curben:2021.2.2
curben:2021.2.1
curben:2021.2.0
curben:2021.1.5
curben:2021.1.4
curben:2021.1.3
curben:2021.1.2
curben:2021.1.1
curben:2021.1.0
curben:2020.12.0
curben:2020.11.11
curben:2020.11.10
curben:2020.11.9
curben:2020.11.8
curben:2020.11.7
curben:2020.11.6
curben:2020.11.5
curben:2020.11.4
curben:2020.11.3
curben:2020.11.2
curben:2020.11.1
curben:2020.11.0
curben:2020.10.2
curben:2020.10.1
curben:2020.10.0
curben:2020.9.3
curben:2020.9.2
curben:2020.9.1
curben:2020.9.0
curben:2020.8.2
curben:2020.8.1
curben:2020.8.0
curben:2020.7.4
curben:2020.7.3
curben:2020.7.2
curben:2020.7.1
curben:2020.7.0
curben:2020.6.6
curben:2020.6.5
curben:2020.6.4
curben:2020.6.3
curben:2020.6.2
curben:2020.6.1
curben:2020.6.0
curben:2020.5.1
curben:2020.5.0
curben:2020.4.0
curben:2020.3.2
curben:2020.3.1
curben:2020.3.0
curben:2020.2.1
curben:2020.2.0
curben:2019.12.0
curben:2019.11.3
curben:2019.11.2
curben:2019.11.1
curben:2019.11.0
curben:2019.10.4
curben:2019.10.3
curben:2019.10.2
curben:2019.10.1
curben:2019.10.0
curben:2019.9.2
curben:2019.9.1
curben:2019.9.0
curben:2019.8.4
curben:2019.8.3
curben:2019.8.1
curben:2019.8.0
curben:2019.7.0
curben:2019.6.0
curben:2019.5.0
curben:2019.4.1
curben:2019.4.0
curben:2019.3.2
curben:2019.3.1
curben:2019.3.0
curben:2019.2.1
curben:2019.2.0
curben:2019.1.0
curben:2018.12.1
curben:2018.12.0
curben:2018.11.0
curben:2018.10.5
curben:2018.10.4
curben:2018.10.3
curben:2018.10.2
curben:2018.10.1
curben:2018.10.0
curben:2018.9.0
curben:2018.8.0

No commits in common. "master" and "2025.6.1" have entirely different histories.
master ... 2025.6.1

119 changed files with 1337 additions and 3606 deletions
Show Stats Expand all files Collapse all files

151
.ci/apt-internal.gitlab-ci.yml
View File

@ -1,151 +0,0 @@
.register_inputs: &register_inputs
stage: release-internal
runOnBranches: "^master$"
COMPONENT: "common"
.register_inputs_stable_bookworm: &register_inputs_stable_bookworm
<<: *register_inputs
runOnChangesTo: ['RELEASE_NOTES']
FLAVOR: "bookworm"
SERIES: "stable"
.register_inputs_stable_trixie: &register_inputs_stable_trixie
<<: *register_inputs
runOnChangesTo: ['RELEASE_NOTES']
FLAVOR: "trixie"
SERIES: "stable"
.register_inputs_next_bookworm: &register_inputs_next_bookworm
<<: *register_inputs
FLAVOR: "bookworm"
SERIES: next
.register_inputs_next_trixie: &register_inputs_next_trixie
<<: *register_inputs
FLAVOR: "trixie"
SERIES: next
################################################
### Generate Debian Package for Internal APT ###
################################################
.cloudflared-apt-build: &cloudflared_apt_build
stage: package
needs:
- ci-image-get-image-ref
- linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
image: $BUILD_IMAGE
cache: {}
script:
- make cloudflared-deb
artifacts:
paths:
- cloudflared*.deb
##############
### Stable ###
##############
cloudflared-amd64-stable:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-release]
variables: &amd64-stable-vars
GOOS: linux
GOARCH: amd64
FIPS: true
ORIGINAL_NAME: true
CGO_ENABLED: 1
cloudflared-arm64-stable:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-release]
variables: &arm64-stable-vars
GOOS: linux
GOARCH: arm64
FIPS: false # TUN-7595
ORIGINAL_NAME: true
CGO_ENABLED: 1
############
### Next ###
############
cloudflared-amd64-next:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-master]
variables:
<<: *amd64-stable-vars
NIGHTLY: true
cloudflared-arm64-next:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-master]
variables:
<<: *arm64-stable-vars
NIGHTLY: true
include:
- local: .ci/commons.gitlab-ci.yml
##########################################
### Publish Packages to Internal Repos ###
##########################################
# Bookworm AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_bookworm
jobPrefix: cloudflared-bookworm-amd64
needs: &amd64-stable ["cloudflared-amd64-stable"]
# Bookworm ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_bookworm
jobPrefix: cloudflared-bookworm-arm64
needs: &arm64-stable ["cloudflared-arm64-stable"]
# Trixie AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_trixie
jobPrefix: cloudflared-trixie-amd64
needs: *amd64-stable
# Trixie ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_trixie
jobPrefix: cloudflared-trixie-arm64
needs: *arm64-stable
##################################################
### Publish Nightly Packages to Internal Repos ###
##################################################
# Bookworm AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_bookworm
jobPrefix: cloudflared-nightly-bookworm-amd64
needs: &amd64-next ['cloudflared-amd64-next']
# Bookworm ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_bookworm
jobPrefix: cloudflared-nightly-bookworm-arm64
needs: &arm64-next ['cloudflared-arm64-next']
# Trixie AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_trixie
jobPrefix: cloudflared-nightly-trixie-amd64
needs: *amd64-next
# Trixie ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_trixie
jobPrefix: cloudflared-nightly-trixie-arm64
needs: *arm64-next

31
.ci/ci-image.gitlab-ci.yml
View File

@ -1,31 +0,0 @@
# Builds a custom CI Image when necessary
include:
#####################################################
############## Build and Push CI Image ##############
#####################################################
- component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
inputs:
stage: pre-build
jobPrefix: ci-image
runOnChangesTo: [".ci/image/**"]
runOnMR: true
runOnBranches: '^master$'
commentImageRefs: false
runner: vm-linux-x86-4cpu-8gb
EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
#####################################################
## Resolve the image reference for downstream jobs ##
#####################################################
- component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
inputs:
stage: pre-build
jobPrefix: ci-image
runOnMR: true
runOnBranches: '^master$'
IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
VARIABLE_NAME: BUILD_IMAGE
needs:
- job: ci-image-build-push-image
optional: true

45
.ci/commons.gitlab-ci.yml
View File

@ -1,45 +0,0 @@
## A set of predefined rules to use on the different jobs
.default-rules:
# Rules to run the job only on the master branch
run-on-master:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: on_success
- when: never
# Rules to run the job only on merge requests
run-on-mr:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
when: on_success
- when: never
# Rules to run the job on merge_requests and master branch
run-always:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: on_success
- when: never
# Rules to run the job only when a release happens
run-on-release:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
changes:
- 'RELEASE_NOTES'
when: on_success
- when: never
.component-tests:
image: $BUILD_IMAGE
rules:
- !reference [.default-rules, run-always]
variables:
COMPONENT_TESTS_CONFIG: component-test-config.yaml
COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
secrets:
DNS_API_TOKEN:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
file: false
COMPONENT_TESTS_ORIGINCERT:
vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
file: false
cache: {}

17
.ci/github.gitlab-ci.yml
View File

@ -1,17 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
######################################
### Sync master branch with Github ###
######################################
push-github:
stage: sync
rules:
- !reference [.default-rules, run-on-master]
script:
- ./.ci/scripts/github-push.sh
secrets:
CLOUDFLARED_DEPLOY_SSH_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
file: false
cache: {}

2
.ci/image/.docker-images
View File

@ -1,2 +0,0 @@
images:
- name: ci-image

35
.ci/image/Dockerfile
View File

@ -1,35 +0,0 @@
ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/bookworm/main:2025.7.0@sha256:6350da2f7e728dae2c1420f6dafc38e23cacc0b399d3d5b2f40fe48d9c8ff1ca
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install --no-install-recommends --allow-downgrades -y \
build-essential \
git \
go-boring=1.24.9-1 \
libffi-dev \
procps \
python3-dev \
python3-pip \
python3-setuptools \
python3-venv \
# libmsi and libgcab are libraries the wixl binary depends on.
libmsi-dev \
libgcab-dev \
# deb and rpm build tools
rubygem-fpm \
rpm \
# create deb and rpm repository files
reprepro \
createrepo-c \
# gcc for cross architecture compilation in arm
gcc-aarch64-linux-gnu \
libc6-dev-arm64-cross && \
rm -rf /var/lib/apt/lists/* && \
# Install wixl
curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
chmod a+x /usr/local/bin/wixl && \
mkdir -p opt
WORKDIR /opt

122
.ci/linux.gitlab-ci.yml
View File

@ -1,122 +0,0 @@
.golang-inputs: &golang_inputs
runOnMR: true
runOnBranches: '^master$'
outputDir: artifacts
runner: linux-x86-8cpu-16gb
stage: build
golangVersion: "boring-1.24"
imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
CGO_ENABLED: 1
.default-packaging-job: &packaging-job-defaults
stage: package
needs:
- ci-image-get-image-ref
rules:
- !reference [.default-rules, run-on-master]
image: $BUILD_IMAGE
cache: {}
artifacts:
paths:
- artifacts/*
include:
###################
### Linux Build ###
###################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
jobPrefix: linux-build
GOLANG_MAKE_TARGET: ci-build
########################
### Linux FIPS Build ###
########################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
jobPrefix: linux-fips-build
GOLANG_MAKE_TARGET: ci-fips-build
#################
### Unit Tests ##
#################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
stage: test
jobPrefix: test
GOLANG_MAKE_TARGET: ci-test
######################
### Unit Tests FIPS ##
######################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
stage: test
jobPrefix: test-fips
GOLANG_MAKE_TARGET: ci-fips-test
#################
### Vuln Check ##
#################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
runOnBranches: '^$'
stage: validate
jobPrefix: vulncheck
GOLANG_MAKE_TARGET: vulncheck
#################################
### Run Linux Component Tests ###
#################################
linux-component-tests: &linux-component-tests
stage: test
extends: .component-tests
needs:
- ci-image-get-image-ref
- linux-build-boring-make
script:
- ./.ci/scripts/component-tests.sh
variables: &component-tests-variables
CI: 1
COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
tags:
- linux-x86-8cpu-16gb
artifacts:
reports:
junit: report.xml
######################################
### Run Linux FIPS Component Tests ###
######################################
linux-component-tests-fips:
<<: *linux-component-tests
needs:
- ci-image-get-image-ref
- linux-fips-build-boring-make
variables:
<<: *component-tests-variables
COMPONENT_TESTS_FIPS: 1
################################
####### Linux Packaging ########
################################
linux-packaging:
<<: *packaging-job-defaults
parallel:
matrix:
- ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
script:
- ./.ci/scripts/linux/build-packages.sh ${ARCH}
################################
##### Linux FIPS Packaging #####
################################
linux-packaging-fips:
<<: *packaging-job-defaults
script:
- ./.ci/scripts/linux/build-packages-fips.sh

66
.ci/mac.gitlab-ci.yml
View File

@ -1,66 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
###############################
### Defaults for Mac Builds ###
###############################
.mac-build-defaults: &mac-build-defaults
rules:
- !reference [.default-rules, run-on-mr]
tags:
- "macstadium-${RUNNER_ARCH}"
parallel:
matrix:
- RUNNER_ARCH: [arm, intel]
cache: {}
######################################
### Build Cloudflared Mac Binaries ###
######################################
macos-build-cloudflared: &mac-build
<<: *mac-build-defaults
stage: build
artifacts:
paths:
- artifacts/*
script:
- '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
- '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
- ARCH=$(uname -m)
- echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
- ./.ci/scripts/mac/install-go.sh
- BUILD_SCRIPT=.ci/scripts/mac/build.sh
- if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
- set -euo pipefail
- echo "Executing ${BUILD_SCRIPT}"
- exec ${BUILD_SCRIPT}
###############################################
### Build and Sign Cloudflared Mac Binaries ###
###############################################
macos-build-and-sign-cloudflared:
<<: *mac-build
rules:
- !reference [.default-rules, run-on-master]
secrets:
APPLE_DEV_CA_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
file: false
CFD_CODE_SIGN_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
file: false
CFD_CODE_SIGN_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
file: false
CFD_CODE_SIGN_PASS:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
file: false
CFD_INSTALLER_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
file: false
CFD_INSTALLER_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
file: false
CFD_INSTALLER_PASS:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
file: false

133
.ci/release.gitlab-ci.yml
View File

@ -1,133 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
######################################
### Build and Push DockerHub Image ###
######################################
- component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
inputs:
stage: release
jobPrefix: docker-hub
runOnMR: false
runOnBranches: '^master$'
runOnChangesTo: ['RELEASE_NOTES']
needs:
- generate-version-file
- release-cloudflared-to-r2
commentImageRefs: false
runner: vm-linux-x86-4cpu-8gb
# Based on if the CI reference is protected or not the CI component will
# either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
# we simply set both to the same value.
DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
DOCKER_USER_PROD: *docker-hub-user
DOCKER_PASSWORD_PROD: *docker-hub-password
EXTRA_DIB_ARGS: --overwrite
.default-release-job: &release-job-defaults
stage: release
image: $BUILD_IMAGE
cache:
paths:
- .cache/pip
variables: &release-job-variables
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
# KV Vars
KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
# R2 Vars
R2_BUCKET: cloudflared-pkgs
R2_ACCOUNT_ID: *cf-account
# APT and RPM Repository Vars
GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
PKG_URL: "https://pkg.cloudflare.com/cloudflared"
BINARY_NAME: cloudflared
secrets:
KV_API_TOKEN:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
file: false
API_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
file: false
R2_CLIENT_ID:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
file: false
R2_CLIENT_SECRET:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
file: false
LINUX_SIGNING_PUBLIC_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
file: false
LINUX_SIGNING_PRIVATE_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
file: false
LINUX_SIGNING_PUBLIC_KEY_2:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
file: false
LINUX_SIGNING_PRIVATE_KEY_2:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
file: false
###########################################
### Push Cloudflared Binaries to Github ###
###########################################
release-cloudflared-to-github:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-release]
needs:
- ci-image-get-image-ref
- linux-packaging
- linux-packaging-fips
- macos-build-and-sign-cloudflared
- windows-package-sign
script:
- ./.ci/scripts/release-target.sh github-release
#########################################
### Upload Cloudflared Binaries to R2 ###
#########################################
release-cloudflared-to-r2:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-release]
needs:
- ci-image-get-image-ref
- linux-packaging # We only release non-FIPS binaries to R2
- release-cloudflared-to-github
script:
- ./.ci/scripts/release-target.sh r2-linux-release
#################################################
### Upload Cloudflared Nightly Binaries to R2 ###
#################################################
release-cloudflared-nightly-to-r2:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-master]
variables:
<<: *release-job-variables
R2_BUCKET: cloudflared-pkgs-next
GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
needs:
- ci-image-get-image-ref
- linux-packaging # We only release non-FIPS binaries to R2
script:
- ./.ci/scripts/release-target.sh r2-linux-release
#############################
### Generate Version File ###
#############################
generate-version-file:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-release]
needs:
- ci-image-get-image-ref
script:
- make generate-docker-version
artifacts:
paths:
- versions

25
.ci/scripts/component-tests.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
set -e -o pipefail
# Fetch cloudflared from the artifacts folder
mv ./artifacts/cloudflared ./cloudflared
python3 -m venv env
. env/bin/activate
pip install --upgrade -r component-tests/requirements.txt
# Creates and routes a Named Tunnel for this build. Also constructs
# config file from env vars.
python3 component-tests/setup.py --type create
# Define the cleanup function
cleanup() {
# The Named Tunnel is deleted and its route unprovisioned here.
python3 component-tests/setup.py --type cleanup
}
# The trap will call the cleanup function on script exit
trap cleanup EXIT
pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml

31
.ci/scripts/github-push.sh
View File

@ -1,31 +0,0 @@
#!/bin/bash
set -e -o pipefail
BRANCH="master"
TMP_PATH="$PWD/tmp"
PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
mkdir -p $TMP_PATH
# Setup Private Key
echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
chmod 400 $PRIVATE_KEY_PATH
# Download GitHub Public Key for KnownHostsFile
ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
# Setup git ssh command with the right configurations
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
# Add GitHub as a new remote
git remote add github git@github.com:cloudflare/cloudflared.git || true
# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
# Therefore, we need to manually fetch the reference to then push it to GitHub.
git fetch origin $BRANCH:$BRANCH
git push -u github $BRANCH
if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
git push -u github "$TAG"
fi

59
.ci/scripts/linux/build-packages.sh
View File

@ -1,59 +0,0 @@
#!/bin/bash
# Check if architecture argument is provided
if [ $# -eq 0 ]; then
echo "Error: Architecture argument is required"
echo "Usage: $0 <architecture>"
exit 1
fi
# Parameters
arch=$1
# Get Version
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION
# Disable FIPS module in go-boring
export GOEXPERIMENT=noboringcrypto
export CGO_ENABLED=0
# This controls the directory the built artifacts go into
export ARTIFACT_DIR=artifacts/
mkdir -p $ARTIFACT_DIR
export TARGET_OS=linux
unset TARGET_ARM
export TARGET_ARCH=$arch
## Support for arm platforms without hardware FPU enabled
if [[ $arch == arm ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=5
fi
## Support for armhf builds
if [[ $arch == armhf ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=7
fi
make cloudflared-deb
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
RPMARCH=$arch
if [ $arch == "amd64" ];then
RPMARCH="x86_64"
fi
if [ $arch == "arm64" ]; then
RPMARCH="aarch64"
fi
make cloudflared-rpm
mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
# finally move the linux binary as well.
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch

18
.ci/scripts/release-target.sh
View File

@ -1,18 +0,0 @@
#!/bin/bash
set -e -o pipefail
# Check if a make target is provided as an argument
if [ $# -eq 0 ]; then
echo "Error: Make target argument is required"
echo "Usage: $0 <make-target>"
exit 1
fi
MAKE_TARGET=$1
python3 -m venv venv
source venv/bin/activate
# Our release scripts are written in python, so we should install their dependecies here.
pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
make $MAKE_TARGET

52
.ci/scripts/vuln-check.sh
View File

@ -1,52 +0,0 @@
#!/bin/bash
set -e
# Define the file to store the list of vulnerabilities to ignore.
IGNORE_FILE=".vulnignore"
# Check if the ignored vulnerabilities file exists. If not, create an empty one.
if [ ! -f "$IGNORE_FILE" ]; then
touch "$IGNORE_FILE"
echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
echo "" >> "$IGNORE_FILE"
fi
# Run govulncheck and capture its output.
VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
# Print the govuln output
echo "====================================="
echo "Full Output of govulncheck:"
echo "====================================="
echo "$VULN_OUTPUT"
echo "====================================="
echo "End of govulncheck Output"
echo "====================================="
# Process the ignore file to remove comments and empty lines.
# The 'cut' command gets the vulnerability ID and removes anything after the '#'.
# The 'grep' command filters out empty lines and lines starting with '#'.
CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
# Filter out the ignored vulnerabilities.
UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
# If the list of ignored vulnerabilities is not empty, filter them out.
if [ -n "$CLEAN_IGNORES" ]; then
UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
fi
# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
if [ -n "$UNIGNORED_VULNS" ]; then
echo "🚨 Found new, unignored vulnerabilities:"
echo "-------------------------------------"
echo "$UNIGNORED_VULNS"
echo "-------------------------------------"
echo "Exiting with an error. ❌"
exit 1
else
echo "🎉 No new vulnerabilities found. All clear! ✨"
exit 0
fi

29
.ci/scripts/windows/builds.ps1
View File

@ -1,29 +0,0 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
$env:TARGET_OS = "windows"
$env:LOCAL_OS = "windows"
$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
New-Item -Path ".\artifacts" -ItemType Directory
Write-Output "Building for amd64"
$env:TARGET_ARCH = "amd64"
$env:LOCAL_ARCH = "amd64"
$env:CGO_ENABLED = 1
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
# Sign build
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
Write-Output "Building for 386"
$env:TARGET_ARCH = "386"
$env:LOCAL_ARCH = "386"
$env:CGO_ENABLED = 0
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
## Sign build
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe

40
.ci/scripts/windows/component-test.ps1
View File

@ -1,40 +0,0 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
$env:TARGET_OS = "windows"
$env:LOCAL_OS = "windows"
$env:TARGET_ARCH = "amd64"
$env:LOCAL_ARCH = "amd64"
$env:CGO_ENABLED = 1
python --version
python -m pip --version
Write-Host "Building cloudflared"
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
Write-Host "Running unit tests"
# Not testing with race detector because of https://github.com/golang/go/issues/61058
# We already test it on other platforms
go test -failfast -v -mod=vendor ./...
if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
# On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
$env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
Write-Host "No Proxy: ${env:NO_PROXY}"
Write-Host "Running component tests"
try {
python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
python component-tests/setup.py --type create
python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
if ($LASTEXITCODE -ne 0) {
throw "Failed component tests"
}
} finally {
python component-tests/setup.py --type cleanup
}

69
.ci/scripts/windows/go-wrapper.ps1
View File

@ -1,69 +0,0 @@
Param(
[string]$GoVersion,
[string]$ScriptToExecute
)
# The script is a wrapper that downloads a specific version
# of go, adds it to the PATH and executes a script with that go
# version in the path.
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
# Get the path to the system's temporary directory.
$tempPath = [System.IO.Path]::GetTempPath()
# Create a unique name for the new temporary folder.
$folderName = "go_" + (Get-Random)
# Join the temp path and the new folder name to create the full path.
$fullPath = Join-Path -Path $tempPath -ChildPath $folderName
# Store the current value of PATH environment variable.
$oldPath = $env:Path
# Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
try {
# Create the temporary folder.
Write-Host "Creating temporary folder at: $fullPath"
$newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
# Download go
$url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
$destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
Write-Host "Downloading go from: $url"
Invoke-WebRequest -Uri $url -OutFile $destinationFile
Write-Host "File downloaded to: $destinationFile"
# Unzip the downloaded file.
Write-Host "Unzipping the file..."
Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
Write-Host "File unzipped successfully."
# Define the go/bin path wich is inside the temporary folder
$goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
# Add the go/bin path to the PATH environment variable.
$env:Path = "$goBinPath;$($env:Path)"
Write-Host "Added $goBinPath to the environment PATH."
go env
go version
& $ScriptToExecute
} finally {
# Cleanup: Remove the path from the environment variable and then the temporary folder.
Write-Host "Starting cleanup..."
$env:Path = $oldPath
Write-Host "Reverted changes in the environment PATH."
# Remove the temporary folder and its contents.
if (Test-Path -Path $fullPath) {
Remove-Item -Path $fullPath -Recurse -Force
Write-Host "Temporary folder and its contents have been removed."
} else {
Write-Host "Temporary folder does not exist, no cleanup needed."
}
}

26
.ci/scripts/windows/sign-msi.ps1
View File

@ -1,26 +0,0 @@
# Sign Windows artifacts using azuretool
# This script processes MSI files from the artifacts directory
$ErrorActionPreference = "Stop"
# Define paths
$ARTIFACT_DIR = "artifacts"
$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
# Find all Windows MSI files
$msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
if ($msiFiles.Count -eq 0) {
Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
exit 1
}
Write-Host "Found $($msiFiles.Count) file(s) to sign:"
foreach ($file in $msiFiles) {
Write-Host "Running azuretool sign for $($file.Name)"
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
}
Write-Host "Signing process completed"

114
.ci/windows.gitlab-ci.yml
View File

@ -1,114 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
###################################
### Defaults for Windows Builds ###
###################################
.windows-build-defaults: &windows-build-defaults
rules:
- !reference [.default-rules, run-always]
tags:
- windows-x86
cache: {}
##########################################
### Build Cloudflared Windows Binaries ###
##########################################
windows-build-cloudflared:
<<: *windows-build-defaults
stage: build
script:
- powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
artifacts:
paths:
- artifacts/*
######################################################
### Load Environment Variables for Component Tests ###
######################################################
windows-load-env-variables:
stage: pre-build
extends: .component-tests
script:
- echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
- echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
- echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
# We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
- echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
- echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
- echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
- echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
- echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
- echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
variables:
COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
secrets:
KEY_VAULT_URL:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
file: false
KEY_VAULT_CLIENT_ID:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
file: false
KEY_VAULT_TENANT_ID:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
file: false
KEY_VAULT_SECRET:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
file: false
KEY_VAULT_CERTIFICATE:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
file: false
artifacts:
access: 'none'
reports:
dotenv: windows.env
###################################
### Run Windows Component Tests ###
###################################
windows-component-tests-cloudflared:
<<: *windows-build-defaults
stage: test
needs: ["windows-load-env-variables"]
script:
# We have to decode the secret we encoded on the `windows-load-env-variables` job
- $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
- powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
artifacts:
reports:
junit: report.xml
################################
### Package Windows Binaries ###
################################
windows-package:
rules:
- !reference [.default-rules, run-on-master]
stage: package
needs:
- ci-image-get-image-ref
- windows-build-cloudflared
image: $BUILD_IMAGE
script:
- .ci/scripts/package-windows.sh
cache: {}
artifacts:
paths:
- artifacts/*
#############################
### Sign Windows Binaries ###
#############################
windows-package-sign:
<<: *windows-build-defaults
rules:
- !reference [.default-rules, run-on-master]
stage: package
needs:
- windows-package
- windows-load-env-variables
script:
- powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
artifacts:
paths:
- artifacts/*

200
.gitlab-ci.yml
View File

@ -1,58 +1,172 @@
variables:
GO_VERSION: "go1.24.9"
GIT_DEPTH: "0"
# Define GOPATH within the project directory to allow GitLab CI to cache it.
# By default, Go places modules in GOMODCACHE, often outside the project.
# Explicitly setting GOMODCACHE ensures it's within the cached path.
GOPATH: "$CI_PROJECT_DIR/.go"
GOMODCACHE: "$GOPATH/pkg/mod"
GO_BIN_DIR: "$GOPATH/bin"
cache:
# Cache Go modules and the binaries.
# The 'key' ensures a unique cache per branch, or you can use a fixed key
# for a shared cache across all branches if that fits your workflow.
key: "$CI_COMMIT_REF_SLUG"
paths:
- ${GOPATH}/pkg/mod/ # For Go modules
- ${GO_BIN_DIR}/
stages: [build, release]
default:
id_tokens:
VAULT_ID_TOKEN:
aud: https://vault.cfdata.org
stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
# This before_script is injected into every job that runs on master meaning that if there is no tag the step
# will succeed but only write "No tag present - Skipping" to the console.
.check_tag:
before_script:
- |
# Check if there is a Git tag pointing to HEAD
echo "Tag found: $(git tag --points-at HEAD | grep .)"
if git tag --points-at HEAD | grep .; then
echo "Tag found: $(git tag --points-at HEAD | grep .)"
export "VERSION=$(git tag --points-at HEAD | grep .)"
else
echo "No tag present — skipping."
exit 0
fi
include:
#####################################################
########## Import Commons Configurations ############
#####################################################
- local: .ci/commons.gitlab-ci.yml
## A set of predefined rules to use on the different jobs
.default_rules:
# Rules to run the job only on the master branch
run_on_master:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: always
- when: never
# Rules to run the job only on branches that are not master. This is needed because for now
# we need to keep a similar behavior due to the integration with teamcity, which requires us
# to not trigger pipelines on tags and/or merge requests.
run_on_branch:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
when: always
- when: never
#####################################################
########### Sync Repository with Github #############
#####################################################
- local: .ci/github.gitlab-ci.yml
#####################################################
############# Build or Fetch CI Image ###############
#####################################################
- local: .ci/ci-image.gitlab-ci.yml
# Template for Go setup, including caching and installation
.go_setup:
image: docker-registry.cfdata.org/stash/devtools/ci-builders/golang-1.24/master:3090-3e32590@sha256:fc81df4f8322f022d93712ee40bb1e5752fdbe9868d1e5a23fd851ad6fbecb91
before_script:
- mkdir -p ${GOPATH} ${GOMODCACHE} ${GO_BIN_DIR}
- export PATH=$PATH:${GO_BIN_DIR}
- go env -w GOMODCACHE=${GOMODCACHE} # Ensure go uses the cached module path
#####################################################
################## Linux Builds ###################
#####################################################
- local: .ci/linux.gitlab-ci.yml
# Check if govulncheck is already installed and install it if not
- if [ ! -f ${GO_BIN_DIR}/govulncheck ]; then
echo "govulncheck not found in cache, installing...";
go install golang.org/x/vuln/cmd/govulncheck@latest;
else
echo "govulncheck found in cache, skipping installation.";
fi
#####################################################
################## Windows Builds ###################
#####################################################
- local: .ci/windows.gitlab-ci.yml
# -----------------------------------------------
# Stage 1: Build on every PR
# -----------------------------------------------
build_cloudflared_macos: &build
stage: build
rules:
- !reference [.default_rules, run_on_branch]
tags:
- "macstadium-${RUNNER_ARCH}"
parallel:
matrix:
- RUNNER_ARCH: [arm, intel]
artifacts:
paths:
- artifacts/*
script:
- '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
- '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
- ARCH=$(uname -m)
- echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
- ./.teamcity/mac/install-go.sh
- BUILD_SCRIPT=.teamcity/mac/build.sh
- if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
- set -euo pipefail
- echo "Executing ${BUILD_SCRIPT}"
- exec ${BUILD_SCRIPT}
#####################################################
################### macOS Builds ####################
#####################################################
- local: .ci/mac.gitlab-ci.yml
vulncheck:
stage: build
extends: .go_setup
rules:
- !reference [.default_rules, run_on_branch]
script:
- make vulncheck
#####################################################
################# Release Packages ##################
#####################################################
- local: .ci/release.gitlab-ci.yml
# -----------------------------------------------
# Stage 1: Build and sign only on releases
# -----------------------------------------------
build_and_sign_cloudflared_macos:
<<: *build
rules:
- !reference [.default_rules, run_on_master]
secrets:
APPLE_DEV_CA_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
file: false
CFD_CODE_SIGN_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
file: false
CFD_CODE_SIGN_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
file: false
CFD_CODE_SIGN_PASS:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
file: false
CFD_INSTALLER_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
file: false
CFD_INSTALLER_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
file: false
CFD_INSTALLER_PASS:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
file: false
#####################################################
########## Release Packages Internally ##############
#####################################################
- local: .ci/apt-internal.gitlab-ci.yml
#####################################################
############## Manual Claude Review #################
#####################################################
- component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
inputs:
whenToRun: "manual"
# -----------------------------------------------
# Stage 2: Release to Github after building and signing
# -----------------------------------------------
release_cloudflared_macos_to_github:
stage: release
image: docker-registry.cfdata.org/stash/tun/docker-images/cloudflared-ci/main:6-8616fe631b76-amd64@sha256:96f4fd05e66cec03e0864c1bcf09324c130d4728eef45ee994716da499183614
extends: .check_tag
dependencies:
- build_and_sign_cloudflared_macos
rules:
- !reference [.default_rules, run_on_master]
cache:
paths:
- .cache/pip
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
secrets:
KV_API_TOKEN:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
file: false
API_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
file: false
script:
- python3 --version ; pip --version # For debugging
- python3 -m venv venv
- source venv/bin/activate
- pip install pynacl==1.4.0 pygithub==1.55
- echo $VERSION
- echo $TAG_EXISTS
- echo "Running release because tag exists."
- make macos-release

0
.ci/scripts/mac/build.sh → .teamcity/mac/build.sh vendored
View File

0
.ci/scripts/mac/install-go.sh → .teamcity/mac/install-go.sh vendored
View File

10
.ci/scripts/package-windows.sh → .teamcity/package-windows.sh vendored
View File

@ -1,23 +1,19 @@
#!/bin/bash
python3 -m venv env
. env/bin/activate
pip install pynacl==1.4.0 pygithub==1.55
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION
export TARGET_OS=windows
# This controls the directory the built artifacts go into
export BUILT_ARTIFACT_DIR=artifacts/
export BUILT_ARTIFACT_DIR=built_artifacts/
export FINAL_ARTIFACT_DIR=artifacts/
mkdir -p $BUILT_ARTIFACT_DIR
mkdir -p $FINAL_ARTIFACT_DIR
windowsArchs=("amd64" "386")
for arch in ${windowsArchs[@]}; do
export TARGET_ARCH=$arch
# Copy .exe from artifacts directory
# Copy exe into final directory
cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
make cloudflared-msi
# Copy msi into final directory
mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe
done

28
.teamcity/windows/builds.ps1 vendored Normal file
View File

@ -0,0 +1,28 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
# Relative path to working directory
$CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
cd $CloudflaredDirectory
Write-Output "Building for amd64"
$env:TARGET_OS = "windows"
$env:CGO_ENABLED = 1
$env:TARGET_ARCH = "amd64"
$env:Path = "$Env:Temp\go\bin;$($env:Path)"
go env
go version
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
Write-Output "Building for 386"
$env:CGO_ENABLED = 0
$env:TARGET_ARCH = "386"
make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
copy .\cloudflared.exe .\cloudflared-windows-386.exe

47
.teamcity/windows/component-test.ps1 vendored Normal file
View File

@ -0,0 +1,47 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
$WorkingDirectory = Get-Location
$CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
go env
go version
$env:TARGET_OS = "windows"
$env:CGO_ENABLED = 1
$env:TARGET_ARCH = "amd64"
$env:Path = "$Env:Temp\go\bin;$($env:Path)"
python --version
python -m pip --version
cd $CloudflaredDirectory
go env
go version
Write-Output "Building cloudflared"
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
echo $LASTEXITCODE
Write-Output "Running unit tests"
# Not testing with race detector because of https://github.com/golang/go/issues/61058
# We already test it on other platforms
go test -failfast -v -mod=vendor ./...
if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
Write-Output "Running component tests"
python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
python component-tests/setup.py --type create
python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
if ($LASTEXITCODE -ne 0) {
python component-tests/setup.py --type cleanup
throw "Failed component tests"
}
python component-tests/setup.py --type cleanup

3
.vulnignore
View File

@ -1,3 +0,0 @@
# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
# You can also add comments on the same line after the ID.
GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future

4
CHANGES.md
View File

@ -1,7 +1,3 @@
## 2025.7.1
### Notices
- `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
## 2025.1.1
### New Features
- This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.

9
Dockerfile
View File

@ -1,7 +1,7 @@
# use a builder image for building cloudflare
ARG TARGET_GOOS
ARG TARGET_GOARCH
FROM golang:1.24.9 AS builder
FROM golang:1.24.4 AS builder
ENV GO111MODULE=on \
CGO_ENABLED=0 \
TARGET_GOOS=${TARGET_GOOS} \
@ -27,11 +27,8 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
# copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as nonroot user
# We need to use numeric user id's because Kubernetes doesn't support strings:
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# run as non-privileged user
USER nonroot
# command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

9
Dockerfile.amd64
View File

@ -1,5 +1,5 @@
# use a builder image for building cloudflare
FROM golang:1.24.9 AS builder
FROM golang:1.24.4 AS builder
ENV GO111MODULE=on \
CGO_ENABLED=0 \
# the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@ -22,11 +22,8 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
# copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as nonroot user
# We need to use numeric user id's because Kubernetes doesn't support strings:
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# run as non-privileged user
USER nonroot
# command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

9
Dockerfile.arm64
View File

@ -1,5 +1,5 @@
# use a builder image for building cloudflare
FROM golang:1.24.9 AS builder
FROM golang:1.24.4 AS builder
ENV GO111MODULE=on \
CGO_ENABLED=0 \
# the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@ -22,11 +22,8 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
# copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as nonroot user
# We need to use numeric user id's because Kubernetes doesn't support strings:
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# run as non-privileged user
USER nonroot
# command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

63
Makefile
View File

@ -24,13 +24,7 @@ else
DEB_PACKAGE_NAME := $(BINARY_NAME)
endif
# Use git in windows since we don't have access to the `date` tool
ifeq ($(TARGET_OS), windows)
DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
else
DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
endif
DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H%M UTC')
VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
ifdef PACKAGE_MANAGER
VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
@ -70,8 +64,6 @@ else ifeq ($(LOCAL_ARCH),x86_64)
TARGET_ARCH ?= amd64
else ifeq ($(LOCAL_ARCH),amd64)
TARGET_ARCH ?= amd64
else ifeq ($(LOCAL_ARCH),386)
TARGET_ARCH ?= 386
else ifeq ($(LOCAL_ARCH),i686)
TARGET_ARCH ?= amd64
else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@ -128,8 +120,6 @@ endif
#for FIPS compliance, FPM defaults to MD5.
RPM_DIGEST := --rpm-digest sha256
GO_TEST_LOG_OUTPUT = /tmp/gotest.log
.PHONY: all
all: cloudflared test
@ -139,7 +129,7 @@ clean:
.PHONY: vulncheck
vulncheck:
@./.ci/scripts/vuln-check.sh
@govulncheck ./...
.PHONY: cloudflared
cloudflared:
@ -162,9 +152,11 @@ generate-docker-version:
.PHONY: test
test: vet
$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
ifneq ($(FIPS), true)
@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
ifndef CI
go test -v -mod=vendor -race $(LDFLAGS) ./...
else
@mkdir -p .cover
go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
endif
.PHONY: cover
@ -182,7 +174,7 @@ fuzz:
@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
@ -221,6 +213,10 @@ cloudflared-deb: cloudflared cloudflared.1
cloudflared-rpm: cloudflared cloudflared.1
$(call build_package,rpm)
.PHONY: cloudflared-pkg
cloudflared-pkg: cloudflared cloudflared.1
$(call build_package,osxpkg)
.PHONY: cloudflared-msi
cloudflared-msi:
wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@ -231,18 +227,17 @@ github-release-dryrun:
.PHONY: github-release
github-release:
python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
python3 github_message.py --release-version $(VERSION)
.PHONY: macos-release
macos-release:
python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
.PHONY: r2-linux-release
r2-linux-release:
python3 ./release_pkgs.py
.PHONY: r2-next-linux-release
# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
r2-next-linux-release:
python3 ./release_pkgs.py --upload-repo-file
.PHONY: capnp
capnp:
which capnp # https://capnproto.org/install.html
@ -251,7 +246,7 @@ capnp:
.PHONY: vet
vet:
$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...
go vet -mod=vendor github.com/cloudflare/cloudflared/...
.PHONY: fmt
fmt:
@ -260,7 +255,7 @@ fmt:
.PHONY: fmt-check
fmt-check:
@./.ci/scripts/fmt-check.sh
@./fmt-check.sh
.PHONY: lint
lint:
@ -269,23 +264,3 @@ lint:
.PHONY: mocks
mocks:
go generate mocks/mockgen.go
.PHONY: ci-build
ci-build:
@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
@mkdir -p artifacts
@mv cloudflared artifacts/cloudflared
.PHONY: ci-fips-build
ci-fips-build:
@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
@mkdir -p artifacts
@mv cloudflared artifacts/cloudflared
.PHONY: ci-test
ci-test: fmt-check lint test
@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
.PHONY: ci-fips-test
ci-fips-test:
@FIPS=true $(MAKE) ci-test

28
README.md
View File

@ -3,14 +3,14 @@
Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
All usages related with proxying to your origins are available under `cloudflared tunnel help`.
You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
Such usages are available under `cloudflared access help`.
You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
@ -19,41 +19,41 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
routing), but for legacy reasons this requirement is still necessary:
1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
## Installing `cloudflared`
Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
* A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
## Creating Tunnels and routing traffic
Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
* Route traffic to that Tunnel:
* Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
* Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
* Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
* Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
* Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
* Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
## TryCloudflare
Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
## Deprecated versions
Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.

67
RELEASE_NOTES
View File

@ -1,70 +1,3 @@
2025.11.1
- 2025-11-07 TUN-9800: Fix docker hub push step
2025.11.0
- 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
- 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
- 2025-11-04 chore: Update cloudflared signing key name in index.html
- 2025-10-31 chore: add claude review
- 2025-10-31 Chore: Update documentation links in README
- 2025-10-31 TUN-9800: Add pipelines for linux packaging
2025.10.1
- 2025-10-30 chore: Update ci image to use goboring 1.24.9
- 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
- 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
- 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
- 2025-10-23 Fix systemd service installation hanging
- 2025-10-21 TUN-9941: Use new GPG key for RPM builds
- 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
- 2025-10-21 TUN-9941: Lookup correct key for RPM signature
- 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
- 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
2025.10.0
- 2025-10-14 chore: Fix upload of RPM repo file during double signing
- 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
- 2025-10-10 chore: Fix import of GPG keys when two keys are provided
- 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
- 2025-10-10 TUN-9883: Add new datagram v3 feature flag
- 2025-10-09 chore: Force usage of go-boring 1.24
- 2025-10-08 TUN-9882: Improve metrics for datagram v3
- 2025-10-07 GRC-16749: Add fedramp tags to catalog
- 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
- 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
- 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
- 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
2025.9.1
- 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
- 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
2025.9.0
- 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
- 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
- 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
- 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
2025.8.1
- 2025-08-19 AUTH-7480 update fed callback url for login helper
- 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
- 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
2025.8.0
- 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
- 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
- 2025-07-07 TUN-9542: Remove unsupported Debian-based releases
2025.7.0
- 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles
- 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
- 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4
- 2025-07-01 TUN-9511: Add metrics for virtual DNS origin
- 2025-06-30 TUN-9470: Add OriginDialerService to include TCP
- 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag
- 2025-06-27 TUN-9472: Add virtual DNS service
- 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service
2025.6.1
- 2025-06-16 TUN-9467: add vulncheck to cloudflared
- 2025-06-16 TUN-9495: Remove references to cloudflare-go

0
.ci/scripts/linux/build-packages-fips.sh → build-packages-fips.sh
View File

48
build-packages.sh Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION
# Disable FIPS module in go-boring
export GOEXPERIMENT=noboringcrypto
export CGO_ENABLED=0
# This controls the directory the built artifacts go into
export ARTIFACT_DIR=artifacts/
mkdir -p $ARTIFACT_DIR
linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
export TARGET_OS=linux
for arch in ${linuxArchs[@]}; do
unset TARGET_ARM
export TARGET_ARCH=$arch
## Support for arm platforms without hardware FPU enabled
if [[ $arch == arm ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=5
fi
## Support for armhf builds
if [[ $arch == armhf ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=7
fi
make cloudflared-deb
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
RPMARCH=$arch
if [ $arch == "amd64" ];then
RPMARCH="x86_64"
fi
if [ $arch == "arm64" ]; then
RPMARCH="aarch64"
fi
make cloudflared-rpm
mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
# finally move the linux binary as well.
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
done

5
carrier/carrier.go
View File

@ -31,8 +31,6 @@ type StartOptions struct {
Headers http.Header
Host string
TLSClientConfig *tls.Config
AutoCloseInterstitial bool
IsFedramp bool
}
// Connection wraps up all the needed functions to forward over the tunnel
@ -48,6 +46,7 @@ type StdinoutStream struct{}
// Read will read from Stdin
func (c *StdinoutStream) Read(p []byte) (int, error) {
return os.Stdin.Read(p)
}
// Write will write to Stdout
@ -140,7 +139,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
return nil, err
}
token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
if err != nil {
return nil, err
}

3
catalog-info.yaml
View File

@ -14,7 +14,4 @@ spec:
lifecycle: "Active"
owner: "teams/tunnel-teams-routing"
cf:
compliance:
fedramp-high: "pending"
fedramp-moderate: "yes"
FIPS: "required"

259
cfsetup.yaml
View File

@ -1,2 +1,257 @@
# A valid cfsetup.yaml is required but we dont have any real config to specify
dummy_key: true
pinned_go: &pinned_go go-boring=1.24.2-1
build_dir: &build_dir /cfsetup_build
default-flavor: bookworm
bullseye: &bullseye
build-linux:
build_dir: *build_dir
builddeps: &build_deps
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- libffi-dev
- golangci-lint=1.64.8-2
pre-cache: &build_pre_cache
- export GOCACHE=/cfsetup_build/.cache/go-build
- go install golang.org/x/tools/cmd/goimports@v0.30.0
post-cache:
# Linting
- make lint
- make fmt-check
# Build binary for component test
- GOOS=linux GOARCH=amd64 make cloudflared
build-linux-fips:
build_dir: *build_dir
builddeps: *build_deps
pre-cache: *build_pre_cache
post-cache:
- export FIPS=true
# Build binary for component test
- GOOS=linux GOARCH=amd64 make cloudflared
cover:
build_dir: *build_dir
builddeps: *build_deps
pre-cache: *build_pre_cache
post-cache:
- make cover
# except FIPS and macos
build-linux-release:
build_dir: *build_dir
builddeps: &build_deps_release
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- libffi-dev
- python3-dev
- python3-pip
- python3-setuptools
- wget
- python3-venv
post-cache:
- python3 -m venv env
- . /cfsetup_build/env/bin/activate
- pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
# build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
- ./build-packages.sh
# handle FIPS separately so that we built with gofips compiler
build-linux-fips-release:
build_dir: *build_dir
builddeps: *build_deps_release
post-cache:
# same logic as above, but for FIPS packages only
- ./build-packages-fips.sh
generate-versions-file:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
post-cache:
- make generate-docker-version
build-deb:
build_dir: *build_dir
builddeps: &build_deb_deps
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- make cloudflared-deb
build-fips-internal-deb:
build_dir: *build_dir
builddeps: &build_fips_deb_deps
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export FIPS=true
- export ORIGINAL_NAME=true
- make cloudflared-deb
build-internal-deb-nightly-amd64:
build_dir: *build_dir
builddeps: *build_fips_deb_deps
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export NIGHTLY=true
- export FIPS=true
- export ORIGINAL_NAME=true
- make cloudflared-deb
build-internal-deb-nightly-arm64:
build_dir: *build_dir
builddeps: *build_fips_deb_deps
post-cache:
- export GOOS=linux
- export GOARCH=arm64
- export NIGHTLY=true
# - export FIPS=true # TUN-7595
- export ORIGINAL_NAME=true
- make cloudflared-deb
build-deb-arm64:
build_dir: *build_dir
builddeps: *build_deb_deps
post-cache:
- export GOOS=linux
- export GOARCH=arm64
- make cloudflared-deb
package-windows:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
- wget
# libmsi and libgcab are libraries the wixl binary depends on.
- libmsi-dev
- libgcab-dev
- python3-venv
pre-cache:
- wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
- chmod a+x /usr/local/bin/wixl
post-cache:
- python3 -m venv env
- . env/bin/activate
- pip install pynacl==1.4.0 pygithub==1.55
- .teamcity/package-windows.sh
test:
build_dir: *build_dir
builddeps: &build_deps_tests
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- libffi-dev
- gotest-to-teamcity
pre-cache: *build_pre_cache
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export PATH="$HOME/go/bin:$PATH"
- make test | gotest-to-teamcity
test-fips:
build_dir: *build_dir
builddeps: *build_deps_tests
pre-cache: *build_pre_cache
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export FIPS=true
- export PATH="$HOME/go/bin:$PATH"
- make test | gotest-to-teamcity
component-test:
build_dir: *build_dir
builddeps: &build_deps_component_test
- *pinned_go
- python3
- python3-pip
- python3-setuptools
# procps installs the ps command which is needed in test_sysv_service
# because the init script uses ps pid to determine if the agent is
# running
- procps
- python3-venv
pre-cache-copy-paths:
- component-tests/requirements.txt
post-cache: &component_test_post_cache
- python3 -m venv env
- . env/bin/activate
- pip install --upgrade -r component-tests/requirements.txt
# Creates and routes a Named Tunnel for this build. Also constructs
# config file from env vars.
- python3 component-tests/setup.py --type create
- pytest component-tests -o log_cli=true --log-cli-level=INFO
# The Named Tunnel is deleted and its route unprovisioned here.
- python3 component-tests/setup.py --type cleanup
component-test-fips:
build_dir: *build_dir
builddeps: *build_deps_component_test
pre-cache-copy-paths:
- component-tests/requirements.txt
post-cache: *component_test_post_cache
github-release-dryrun:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
- python3-venv
post-cache:
- python3 -m venv env
- . env/bin/activate
- pip install pynacl==1.4.0 pygithub==1.55
- make github-release-dryrun
github-release:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
- python3-venv
post-cache:
- python3 -m venv env
- . env/bin/activate
- pip install pynacl==1.4.0 pygithub==1.55
- make github-release
r2-linux-release:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- wget
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
- reprepro
- createrepo-c
- python3-venv
post-cache:
- python3 -m venv env
- . env/bin/activate
- pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
- make r2-linux-release
bookworm: *bullseye
trixie: *bullseye

2
client/config_test.go
View File

@ -45,6 +45,6 @@ func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
return features.FeatureSnapshot{
PostQuantum: features.PostQuantumPrefer,
DatagramVersion: features.DatagramV3,
FeaturesList: []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
FeaturesList: []string{features.FeaturePostQuantum, features.FeatureDatagramV3_1},
}
}

2
cmd/cloudflared/access/carrier.go
View File

@ -47,7 +47,6 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
options := &carrier.StartOptions{
OriginURL: forwarder.URL,
Headers: headers, //TODO: TUN-2688 support custom headers from config file
IsFedramp: forwarder.IsFedramp,
}
// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@ -93,7 +92,6 @@ func ssh(c *cli.Context) error {
OriginURL: url.String(),
Headers: headers,
Host: url.Host,
IsFedramp: c.Bool(fedrampFlag),
}
if connectTo := c.String(sshConnectTo); connectTo != "" {

15
cmd/cloudflared/access/cmd.go
View File

@ -51,7 +51,6 @@ Host {{.Hostname}}
ProxyCommand {{.Cloudflared}} access ssh --hostname %h
{{end}}
`
fedrampFlag = "fedramp"
)
const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@ -80,10 +79,6 @@ func Commands() []*cli.Command {
Aliases: []string{"forward"},
Category: "Access",
Usage: "access <subcommand>",
Flags: []cli.Flag{&cli.BoolFlag{
Name: fedrampFlag,
Usage: "use when performing operations in fedramp account",
}},
Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
able to reach sensitive resources. The commands provided here allow you to interact with Access protected
@ -109,10 +104,6 @@ func Commands() []*cli.Command {
Name: "no-verbose",
Usage: "print only the jwt to stdout",
},
&cli.BoolFlag{
Name: "auto-close",
Usage: "automatically close the auth interstitial after action",
},
&cli.StringFlag{
Name: appURLFlag,
},
@ -331,7 +322,7 @@ func curl(c *cli.Context) error {
log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
return run("curl", cmdArgs...)
}
tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
tok, err = token.FetchToken(appURL, appInfo, log)
if err != nil {
log.Err(err).Msg("Failed to refresh token")
return err
@ -451,7 +442,7 @@ func sshGen(c *cli.Context) error {
if err != nil {
return err
}
cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
if err != nil {
return err
}
@ -551,7 +542,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
if c.IsSet(sshTokenSecretFlag) {
headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
}
options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}
options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
if valid, err := isTokenValid(options, log); err != nil {
return err

9
cmd/cloudflared/flags/flags.go
View File

@ -157,13 +157,4 @@ const (
// ApiURL is the command line flag used to define the base URL of the API
ApiURL = "api-url"
// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
// Management hostname to signify incoming management requests
ManagementHostname = "management-hostname"
// Automatically close the login interstitial browser window after the user makes a decision.
AutoCloseInterstitial = "auto-close"
)

2
cmd/cloudflared/linux_service.go
View File

@ -60,7 +60,7 @@ After=network-online.target
Wants=network-online.target
[Service]
TimeoutStartSec=15
TimeoutStartSec=0
Type=notify
ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
Restart=on-failure

27
cmd/cloudflared/tail/cmd.go
View File

@ -51,7 +51,6 @@ func buildTailManagementTokenSubcommand() *cli.Command {
func managementTokenCommand(c *cli.Context) error {
log := createLogger(c)
token, err := getManagementToken(c, log)
if err != nil {
return err
@ -100,7 +99,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
},
&cli.StringFlag{
Name: cfdflags.ManagementHostname,
Name: "management-hostname",
Usage: "Management hostname to signify incoming management requests",
EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
Hidden: true,
@ -237,14 +236,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
return "", err
}
var apiURL string
if userCreds.IsFEDEndpoint() {
apiURL = credentials.FedRampBaseApiURL
} else {
apiURL = c.String(cfdflags.ApiURL)
}
client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
client, err := userCreds.Client(c.String(cfdflags.ApiURL), buildInfo.UserAgent(), log)
if err != nil {
return "", err
}
@ -269,7 +261,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
// buildURL will build the management url to contain the required query parameters to authenticate the request.
func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
var err error
managementHostname := c.String("management-hostname")
token := c.String("token")
if token == "" {
token, err = getManagementToken(c, log)
@ -277,19 +269,6 @@ func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
}
}
claims, err := management.ParseToken(token)
if err != nil {
return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
}
var managementHostname string
if claims.IsFed() {
managementHostname = credentials.FedRampHostname
} else {
managementHostname = c.String(cfdflags.ManagementHostname)
}
query := url.Values{}
query.Add("access_token", token)
connector := c.String("connector-id")

21
cmd/cloudflared/tunnel/cmd.go
View File

@ -97,7 +97,7 @@ var (
"no-tls-verify",
"no-chunked-encoding",
"http2-origin",
cfdflags.ManagementHostname,
"management-hostname",
"service-op-ip",
"local-ssh-port",
"ssh-idle-timeout",
@ -459,23 +459,8 @@ func StartServer(
}
}
userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
var isFEDEndpoint bool
if err != nil {
isFEDEndpoint = false
} else {
isFEDEndpoint = userCreds.IsFEDEndpoint()
}
var managementHostname string
if isFEDEndpoint {
managementHostname = credentials.FedRampHostname
} else {
managementHostname = c.String(cfdflags.ManagementHostname)
}
mgmt := management.New(
managementHostname,
c.String("management-hostname"),
c.Bool("management-diagnostics"),
serviceIP,
connectorID,
@ -1057,7 +1042,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
Value: false,
}),
altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.ManagementHostname,
Name: "management-hostname",
Usage: "Management hostname to signify incoming management requests",
EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
Hidden: true,

46
cmd/cloudflared/tunnel/configuration.go
View File

@ -11,7 +11,6 @@ import (
"time"
"github.com/pkg/errors"
"github.com/prometheus/client_golang/prometheus"
"github.com/rs/zerolog"
"github.com/urfave/cli/v2"
"github.com/urfave/cli/v2/altsrc"
@ -26,7 +25,6 @@ import (
"github.com/cloudflare/cloudflared/edgediscovery/allregions"
"github.com/cloudflare/cloudflared/features"
"github.com/cloudflare/cloudflared/ingress"
"github.com/cloudflare/cloudflared/ingress/origins"
"github.com/cloudflare/cloudflared/orchestration"
"github.com/cloudflare/cloudflared/supervisor"
"github.com/cloudflare/cloudflared/tlsconfig"
@ -36,6 +34,7 @@ import (
const (
secretValue = "*****"
icmpFunnelTimeout = time.Second * 10
fedRampRegion = "fed" // const string denoting the region used to connect to FEDRamp servers
)
var (
@ -220,27 +219,6 @@ func prepareTunnelConfig(
resolvedRegion = endpoint
}
warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
// Setup origin dialer service and virtual services
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: ingress.NewDialer(warpRoutingConfig),
TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
}, log)
// Setup DNS Resolver Service
originMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)
dnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)
dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)
if len(dnsResolverAddrs) > 0 {
addrs, err := parseResolverAddrPorts(dnsResolverAddrs)
if err != nil {
return nil, nil, fmt.Errorf("invalid %s provided: %w", flags.VirtualDNSServiceResolverAddresses, err)
}
dnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)
}
originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
tunnelConfig := &supervisor.TunnelConfig{
ClientConfig: clientConfig,
GracePeriod: gracePeriod,
@ -268,8 +246,6 @@ func prepareTunnelConfig(
DisableQUICPathMTUDiscovery: c.Bool(flags.QuicDisablePathMTUDiscovery),
QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
QUICStreamLevelFlowControlLimit: c.Uint64(flags.QuicStreamLevelFlowControlLimit),
OriginDNSService: dnsService,
OriginDialerService: originDialerService,
}
icmpRouter, err := newICMPRouter(c, log)
if err != nil {
@ -279,9 +255,9 @@ func prepareTunnelConfig(
}
orchestratorConfig := &orchestration.Config{
Ingress: &ingressRules,
WarpRouting: warpRoutingConfig,
OriginDialerService: originDialerService,
WarpRouting: ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
ConfigurationFlags: parseConfigFlags(c),
WriteTimeout: tunnelConfig.WriteStreamTimeout,
}
return tunnelConfig, orchestratorConfig, nil
}
@ -518,19 +494,3 @@ func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
localAddr := localAddrPort.Addr()
return localAddr, nil
}
func parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {
// We don't allow more than 10 resolvers to be provided statically for the resolver service.
if len(input) > 10 {
return nil, errors.New("too many addresses provided, max: 10")
}
addrs := make([]netip.AddrPort, 0, len(input))
for _, val := range input {
addr, err := netip.ParseAddrPort(val)
if err != nil {
return nil, err
}
addrs = append(addrs, addr)
}
return addrs, nil
}

8
cmd/cloudflared/tunnel/login.go
View File

@ -12,7 +12,6 @@ import (
"github.com/urfave/cli/v2"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/credentials"
"github.com/cloudflare/cloudflared/logger"
@ -22,8 +21,9 @@ import (
const (
baseLoginURL = "https://dash.cloudflare.com/argotunnel"
callbackURL = "https://login.cloudflareaccess.org/"
fedBaseLoginURL = "https://dash.fed.cloudflare.com/argotunnel"
fedCallbackStoreURL = "https://login.fed.cloudflareaccess.org/"
// For now these are the same but will change in the future once we know which URLs to use (TUN-8872)
fedBaseLoginURL = "https://dash.cloudflare.com/argotunnel"
fedCallbackStoreURL = "https://login.cloudflareaccess.org/"
fedRAMPParamName = "fedramp"
loginURLParamName = "loginURL"
callbackURLParamName = "callbackURL"
@ -97,8 +97,6 @@ func login(c *cli.Context) error {
callbackStoreURL,
false,
false,
c.Bool(cfdflags.AutoCloseInterstitial),
isFEDRamp,
log,
)
if err != nil {

2
cmd/cloudflared/tunnel/subcommand_context.go
View File

@ -155,12 +155,10 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
if err != nil {
return nil, err
}
tunnelCredentials := connection.Credentials{
AccountTag: credential.AccountID(),
TunnelSecret: tunnelSecret,
TunnelID: tunnel.ID,
Endpoint: credential.Endpoint(),
}
usedCertPath := false
if credentialsFilePath == "" {

6
cmd/cloudflared/tunnel/subcommands.go
View File

@ -241,11 +241,6 @@ var (
Usage: "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
}
dnsResolverAddrsFlag = &cli.StringSliceFlag{
Name: flags.VirtualDNSServiceResolverAddresses,
Usage: "Overrides the dynamic DNS resolver resolution to use these address:port's instead.",
EnvVars: []string{"TUNNEL_DNS_RESOLVER_ADDRS"},
}
)
func buildCreateCommand() *cli.Command {
@ -723,7 +718,6 @@ func buildRunCommand() *cli.Command {
icmpv4SrcFlag,
icmpv6SrcFlag,
maxActiveFlowsFlag,
dnsResolverAddrsFlag,
}
flags = append(flags, configureProxyFlags(false)...)
return &cli.Command{

8
component-tests/test_management.py
View File

@ -107,13 +107,7 @@ class TestManagement:
assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
def send_request(url, headers={}):
with requests.Session() as s:
resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
if resp.status_code == 530:
LOGGER.debug(f"Received 530 status, retrying request to {url}")
raise Exception(f"Received 530 status code from {url}")
return resp
return s.get(url, timeout=BACKOFF_SECS, headers=headers)

5
component-tests/test_service.py
View File

@ -9,7 +9,7 @@ import pytest
import test_logging
from conftest import CfdModes
from util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config
from util import select_platform, start_cloudflared, wait_tunnel_ready, write_config
def default_config_dir():
@ -82,7 +82,6 @@ class TestServiceMode:
os.remove(default_config_file())
self.launchctl_cmd("list", success=False)
@skip_on_ci("we can't run sudo command on CI")
@select_platform("Linux")
@pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
reason=f"There is already a config file in default path")
@ -99,7 +98,6 @@ class TestServiceMode:
self.sysv_service_scenario(config, tmp_path, assert_log_file)
@skip_on_ci("we can't run sudo command on CI")
@select_platform("Linux")
@pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
reason=f"There is already a config file in default path")
@ -118,7 +116,6 @@ class TestServiceMode:
self.sysv_service_scenario(config, tmp_path, assert_rotating_log)
@skip_on_ci("we can't run sudo command on CI")
@select_platform("Linux")
@pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
reason=f"There is already a config file in default path")

2
component-tests/test_token.py
View File

@ -1,7 +1,7 @@
import base64
import json
from setup import get_config_from_file
from setup import get_config_from_file, persist_origin_cert
from util import start_cloudflared

21
component-tests/test_tunnel.py
View File

@ -33,20 +33,13 @@ class TestTunnel:
LOGGER.debug(config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run"], new_process=True):
wait_tunnel_ready(require_min_connections=1)
expected_status_code = 503
resp = send_request(config.get_url()+"/", expected_status_code)
assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
resp = send_request(config.get_url()+"/test", expected_status_code)
assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
resp = send_request(config.get_url()+"/")
assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
resp = send_request(config.get_url()+"/test")
assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
def retry_if_result_none(result):
'''
Returns True if the result is None, indicating that the function should be retried.
'''
return result is None
@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
def send_request(url, expected_status_code=200):
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
def send_request(url, headers={}):
with requests.Session() as s:
resp = s.get(url, timeout=BACKOFF_SECS)
return resp if resp.status_code == expected_status_code else None
return s.get(url, timeout=BACKOFF_SECS, headers=headers)

8
component-tests/util.py
View File

@ -10,6 +10,7 @@ import pytest
import requests
import yaml
import json
from retrying import retry
from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
@ -34,12 +35,6 @@ def fips_enabled():
nofips = pytest.mark.skipif(
fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)")
def skip_on_ci(reason):
env_ci = os.getenv("CI")
running_in_ci = env_ci is not None and env_ci != "0"
return pytest.mark.skipif(
running_in_ci, reason=f"This test can't run on CI due to: {reason}")
def write_config(directory, config):
config_path = directory / "config.yml"
with open(config_path, 'w') as outfile:
@ -116,7 +111,6 @@ def inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):
metrics_url = f'http://localhost:{METRICS_PORT}/ready'
with requests.Session() as s:
LOGGER.debug("Waiting for tunnel to be ready...")
resp = send_request(s, metrics_url, True)
ready_connections = resp.json()["readyConnections"]

2
config/configuration.go
View File

@ -242,8 +242,6 @@ type AccessConfig struct {
// AudTag is the AudTag to verify access JWT against.
AudTag []string `yaml:"audTag" json:"audTag"`
Environment string `yaml:"environment" json:"environment,omitempty"`
}
type IngressIPRule struct {

29
config/model.go
View File

@ -1,7 +1,7 @@
package config
import (
"crypto/sha256"
"crypto/md5"
"fmt"
"io"
"strings"
@ -16,7 +16,6 @@ type Forwarder struct {
TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
TokenSecret string `json:"secret_token_id" yaml:"serviceTokenSecret"`
Destination string `json:"destination"`
IsFedramp bool `json:"is_fedramp" yaml:"isFedramp"`
}
// Tunnel represents a tunnel that should be started
@ -47,24 +46,24 @@ type Root struct {
// Hash returns the computed values to see if the forwarder values change
func (f *Forwarder) Hash() string {
h := sha256.New()
_, _ = io.WriteString(h, f.URL)
_, _ = io.WriteString(h, f.Listener)
_, _ = io.WriteString(h, f.TokenClientID)
_, _ = io.WriteString(h, f.TokenSecret)
_, _ = io.WriteString(h, f.Destination)
h := md5.New()
io.WriteString(h, f.URL)
io.WriteString(h, f.Listener)
io.WriteString(h, f.TokenClientID)
io.WriteString(h, f.TokenSecret)
io.WriteString(h, f.Destination)
return fmt.Sprintf("%x", h.Sum(nil))
}
// Hash returns the computed values to see if the forwarder values change
func (r *DNSResolver) Hash() string {
h := sha256.New()
_, _ = io.WriteString(h, r.Address)
_, _ = io.WriteString(h, strings.Join(r.Bootstraps, ","))
_, _ = io.WriteString(h, strings.Join(r.Upstreams, ","))
_, _ = io.WriteString(h, fmt.Sprintf("%d", r.Port))
_, _ = io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
_, _ = io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
h := md5.New()
io.WriteString(h, r.Address)
io.WriteString(h, strings.Join(r.Bootstraps, ","))
io.WriteString(h, strings.Join(r.Upstreams, ","))
io.WriteString(h, fmt.Sprintf("%d", r.Port))
io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
return fmt.Sprintf("%x", h.Sum(nil))
}

2
connection/control.go
View File

@ -82,7 +82,7 @@ func (c *controlStream) ServeControlStream(
tunnelConfigGetter TunnelConfigJSONGetter,
) error {
registrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)
c.observer.logConnecting(c.connIndex, c.edgeAddress, c.protocol)
registrationDetails, err := registrationClient.RegisterConnection(
ctx,
c.tunnelProperties.Credentials.Auth(),

35
connection/errors.go
View File

@ -1,6 +1,7 @@
package connection
import (
"github.com/cloudflare/cloudflared/edgediscovery"
tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
)
@ -52,26 +53,26 @@ func serverRegistrationErrorFromRPC(err error) ServerRegisterTunnelError {
}
}
type ControlStreamError struct{}
type muxerShutdownError struct{}
var _ error = &ControlStreamError{}
func (e *ControlStreamError) Error() string {
return "control stream encountered a failure while serving"
func (e muxerShutdownError) Error() string {
return "muxer shutdown"
}
type StreamListenerError struct{}
var errMuxerStopped = muxerShutdownError{}
var _ error = &StreamListenerError{}
func isHandshakeErrRecoverable(err error, connIndex uint8, observer *Observer) bool {
log := observer.log.With().
Uint8(LogFieldConnIndex, connIndex).
Err(err).
Logger()
func (e *StreamListenerError) Error() string {
return "accept stream listener encountered a failure while serving"
}
type DatagramManagerError struct{}
var _ error = &DatagramManagerError{}
func (e *DatagramManagerError) Error() string {
return "datagram manager encountered a failure while serving"
switch err.(type) {
case edgediscovery.DialError:
log.Error().Msg("Connection unable to dial edge")
default:
log.Error().Msg("Connection failed")
return false
}
return true
}

3
connection/header.go
View File

@ -53,8 +53,7 @@ var headerEncoding = base64.RawStdEncoding
func IsControlResponseHeader(headerName string) bool {
return strings.HasPrefix(headerName, ":") ||
strings.HasPrefix(headerName, "cf-int-") ||
strings.HasPrefix(headerName, "cf-cloudflared-") ||
strings.HasPrefix(headerName, "cf-proxy-")
strings.HasPrefix(headerName, "cf-cloudflared-")
}
// isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly

30
connection/header_test.go
View File

@ -1,17 +1,18 @@
package connection
import (
"fmt"
"net/http"
"reflect"
"sort"
"testing"
"github.com/stretchr/testify/require"
"github.com/stretchr/testify/assert"
)
func TestSerializeHeaders(t *testing.T) {
request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
require.NoError(t, err)
assert.NoError(t, err)
mockHeaders := http.Header{
"Mock-Header-One": {"Mock header one value", "three"},
@ -38,22 +39,22 @@ func TestSerializeHeaders(t *testing.T) {
serializedHeaders := SerializeHeaders(request.Header)
// Sanity check: the headers serialized to something that's not an empty string
require.NotEqual(t, "", serializedHeaders)
assert.NotEqual(t, "", serializedHeaders)
// Deserialize back, and ensure we get the same set of headers
deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
require.NoError(t, err)
assert.NoError(t, err)
require.Len(t, deserializedHeaders, 13)
assert.Equal(t, 13, len(deserializedHeaders))
expectedHeaders := headerToReqHeader(mockHeaders)
sort.Sort(ByName(deserializedHeaders))
sort.Sort(ByName(expectedHeaders))
require.True(
assert.True(
t,
reflect.DeepEqual(expectedHeaders, deserializedHeaders),
"got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders,
fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders),
)
}
@ -81,12 +82,12 @@ func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {
func TestSerializeNoHeaders(t *testing.T) {
request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
require.NoError(t, err)
assert.NoError(t, err)
serializedHeaders := SerializeHeaders(request.Header)
deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
require.NoError(t, err)
require.Empty(t, deserializedHeaders)
assert.NoError(t, err)
assert.Equal(t, 0, len(deserializedHeaders))
}
func TestDeserializeMalformed(t *testing.T) {
@ -101,22 +102,21 @@ func TestDeserializeMalformed(t *testing.T) {
for _, malformedValue := range malformedData {
_, err = DeserializeHeaders(malformedValue)
require.Error(t, err)
assert.Error(t, err)
}
}
func TestIsControlResponseHeader(t *testing.T) {
controlResponseHeaders := []string{
// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-
// Anything that begins with cf-int- or cf-cloudflared-
"cf-int-sample-header",
"cf-cloudflared-sample-header",
"cf-proxy-sample-header",
// Any http2 pseudoheader
":sample-pseudo-header",
}
for _, header := range controlResponseHeaders {
require.True(t, IsControlResponseHeader(header))
assert.True(t, IsControlResponseHeader(header))
}
}
@ -130,6 +130,6 @@ func TestIsNotControlResponseHeader(t *testing.T) {
}
for _, header := range notControlResponseHeaders {
require.False(t, IsControlResponseHeader(header))
assert.False(t, IsControlResponseHeader(header))
}
}

9
connection/observer.go
View File

@ -46,15 +46,6 @@ func (o *Observer) RegisterSink(sink EventSink) {
o.addSinkChan <- sink
}
func (o *Observer) logConnecting(connIndex uint8, address net.IP, protocol Protocol) {
o.log.Debug().
Int(management.EventTypeKey, int(management.Cloudflared)).
Uint8(LogFieldConnIndex, connIndex).
IPAddr(LogFieldIPAddress, address).
Str(LogFieldProtocol, protocol.String()).
Msg("Registering tunnel connection")
}
func (o *Observer) logConnected(connectionID uuid.UUID, connIndex uint8, location string, address net.IP, protocol Protocol) {
o.log.Info().
Int(management.EventTypeKey, int(management.Cloudflared)).

46
connection/quic_connection.go
View File

@ -3,7 +3,6 @@ package connection
import (
"bufio"
"context"
"errors"
"fmt"
"io"
"net"
@ -13,6 +12,7 @@ import (
"sync/atomic"
"time"
"github.com/pkg/errors"
"github.com/quic-go/quic-go"
"github.com/rs/zerolog"
"golang.org/x/sync/errgroup"
@ -65,7 +65,7 @@ func NewTunnelConnection(
streamWriteTimeout time.Duration,
gracePeriod time.Duration,
logger *zerolog.Logger,
) TunnelConnection {
) (TunnelConnection, error) {
return &quicConnection{
conn: conn,
logger: logger,
@ -77,11 +77,10 @@ func NewTunnelConnection(
rpcTimeout: rpcTimeout,
streamWriteTimeout: streamWriteTimeout,
gracePeriod: gracePeriod,
}
}, nil
}
// Serve starts a QUIC connection that begins accepting streams.
// Returning a nil error means cloudflared will exit for good and will not attempt to reconnect.
func (q *quicConnection) Serve(ctx context.Context) error {
// The edge assumes the first stream is used for the control plane
controlStream, err := q.conn.OpenStream()
@ -89,16 +88,16 @@ func (q *quicConnection) Serve(ctx context.Context) error {
return fmt.Errorf("failed to open a registration control stream: %w", err)
}
// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
// connection).
// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
// other goroutines. We enforce returning a not-nil error for each function started in the errgroup by logging
// the error returned and returning a custom error type instead.
// other goroutine as fast as possible.
ctx, cancel := context.WithCancel(ctx)
errGroup, ctx := errgroup.WithContext(ctx)
// Close the quic connection if any of the following routines return from the errgroup (regardless of their error)
// because they are no longer processing requests for the connection.
defer q.Close()
// Start the control stream routine
// In the future, if cloudflared can autonomously push traffic to the edge, we have to make sure the control
// stream is already fully registered before the other goroutines can proceed.
errGroup.Go(func() error {
// err is equal to nil if we exit due to unregistration. If that happens we want to wait the full
// amount of the grace period, allowing requests to finish before we cancel the context, which will
@ -115,26 +114,16 @@ func (q *quicConnection) Serve(ctx context.Context) error {
}
}
}
if err != nil {
q.logger.Error().Err(err).Msg("failed to serve the control stream")
}
return &ControlStreamError{}
cancel()
return err
})
// Start the accept stream loop routine
errGroup.Go(func() error {
err := q.acceptStream(ctx)
if err != nil {
q.logger.Error().Err(err).Msg("failed to accept incoming stream requests")
}
return &StreamListenerError{}
defer cancel()
return q.acceptStream(ctx)
})
// Start the datagram handler routine
errGroup.Go(func() error {
err := q.datagramHandler.Serve(ctx)
if err != nil {
q.logger.Error().Err(err).Msg("failed to run the datagram handler")
}
return &DatagramManagerError{}
defer cancel()
return q.datagramHandler.Serve(ctx)
})
return errGroup.Wait()
@ -151,6 +140,7 @@ func (q *quicConnection) Close() {
}
func (q *quicConnection) acceptStream(ctx context.Context) error {
defer q.Close()
for {
quicStream, err := q.conn.AcceptStream(ctx)
if err != nil {
@ -240,7 +230,7 @@ func (q *quicConnection) dispatchRequest(ctx context.Context, stream *rpcquic.Re
ConnIndex: q.connIndex,
}), rwa.connectResponseSent
default:
return fmt.Errorf("unsupported error type: %s", request.Type), false
return errors.Errorf("unsupported error type: %s", request.Type), false
}
}

14
connection/quic_connection_test.go
View File

@ -30,7 +30,6 @@ import (
"golang.org/x/net/nettest"
"github.com/cloudflare/cloudflared/client"
"github.com/cloudflare/cloudflared/config"
cfdflow "github.com/cloudflare/cloudflared/flow"
"github.com/cloudflare/cloudflared/datagramsession"
@ -824,15 +823,6 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
sessionManager := datagramsession.NewManager(&log, datagramMuxer.SendToSession, sessionDemuxChan)
var connIndex uint8 = 0
packetRouter := ingress.NewPacketRouter(nil, datagramMuxer, connIndex, &log)
testDefaultDialer := ingress.NewDialer(ingress.WarpRoutingConfig{
ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
TCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},
MaxActiveFlows: 0,
})
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &log)
datagramConn := &datagramV2Connection{
conn,
@ -840,14 +830,13 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
sessionManager,
cfdflow.NewLimiter(0),
datagramMuxer,
originDialer,
packetRouter,
15 * time.Second,
0 * time.Second,
&log,
}
tunnelConn := NewTunnelConnection(
tunnelConn, err := NewTunnelConnection(
ctx,
conn,
index,
@ -860,6 +849,7 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
0*time.Second,
&log,
)
require.NoError(t, err)
return tunnelConn, datagramConn
}

43
connection/quic_datagram_v2.go
View File

@ -4,11 +4,9 @@ import (
"context"
"fmt"
"net"
"net/netip"
"time"
"github.com/google/uuid"
"github.com/pkg/errors"
pkgerrors "github.com/pkg/errors"
"github.com/quic-go/quic-go"
"github.com/rs/zerolog"
@ -34,10 +32,6 @@ const (
demuxChanCapacity = 16
)
var (
errInvalidDestinationIP = errors.New("unable to parse destination IP")
)
// DatagramSessionHandler is a service that can serve datagrams for a connection and handle sessions from incoming
// connection streams.
type DatagramSessionHandler interface {
@ -57,9 +51,6 @@ type datagramV2Connection struct {
// datagramMuxer mux/demux datagrams from quic connection
datagramMuxer *cfdquic.DatagramMuxerV2
// originDialer is the origin dialer for UDP requests
originDialer ingress.OriginUDPDialer
// packetRouter acts as the origin router for ICMP requests
packetRouter *ingress.PacketRouter
rpcTimeout time.Duration
@ -70,7 +61,6 @@ type datagramV2Connection struct {
func NewDatagramV2Connection(ctx context.Context,
conn quic.Connection,
originDialer ingress.OriginUDPDialer,
icmpRouter ingress.ICMPRouter,
index uint8,
rpcTimeout time.Duration,
@ -89,7 +79,6 @@ func NewDatagramV2Connection(ctx context.Context,
sessionManager: sessionManager,
flowLimiter: flowLimiter,
datagramMuxer: datagramMuxer,
originDialer: originDialer,
packetRouter: packetRouter,
rpcTimeout: rpcTimeout,
streamWriteTimeout: streamWriteTimeout,
@ -98,17 +87,24 @@ func NewDatagramV2Connection(ctx context.Context,
}
func (d *datagramV2Connection) Serve(ctx context.Context) error {
// If either goroutine from the errgroup returns at all (error or nil), we rely on its cancellation to make sure
// the other goroutines as well.
// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
// connection).
// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
// other goroutine as fast as possible.
ctx, cancel := context.WithCancel(ctx)
errGroup, ctx := errgroup.WithContext(ctx)
errGroup.Go(func() error {
defer cancel()
return d.sessionManager.Serve(ctx)
})
errGroup.Go(func() error {
defer cancel()
return d.datagramMuxer.ServeReceive(ctx)
})
errGroup.Go(func() error {
defer cancel()
return d.packetRouter.Serve(ctx)
})
@ -132,29 +128,12 @@ func (q *datagramV2Connection) RegisterUdpSession(ctx context.Context, sessionID
tracing.EndWithErrorStatus(registerSpan, err)
return nil, err
}
// We need to force the net.IP to IPv4 (if it's an IPv4 address) otherwise the net.IP conversion from capnp
// will be a IPv4-mapped-IPv6 address.
// In the case that the address is IPv6 we leave it untouched and parse it as normal.
ip := dstIP.To4()
if ip == nil {
ip = dstIP
}
// Parse the dstIP and dstPort into a netip.AddrPort
// This should never fail because the IP was already parsed as a valid net.IP
destAddr, ok := netip.AddrFromSlice(ip)
if !ok {
log.Err(errInvalidDestinationIP).Msgf("Failed to parse destination proxy IP: %s", ip)
tracing.EndWithErrorStatus(registerSpan, errInvalidDestinationIP)
q.flowLimiter.Release()
return nil, errInvalidDestinationIP
}
dstAddrPort := netip.AddrPortFrom(destAddr, dstPort)
// Each session is a series of datagram from an eyeball to a dstIP:dstPort.
// (src port, dst IP, dst port) uniquely identifies a session, so it needs a dedicated connected socket.
originProxy, err := q.originDialer.DialUDP(dstAddrPort)
originProxy, err := ingress.DialUDP(dstIP, dstPort)
if err != nil {
log.Err(err).Msgf("Failed to create udp proxy to %s", dstAddrPort)
log.Err(err).Msgf("Failed to create udp proxy to %s:%d", dstIP, dstPort)
tracing.EndWithErrorStatus(registerSpan, err)
q.flowLimiter.Release()
return nil, err

1
connection/quic_datagram_v2_test.go
View File

@ -84,7 +84,6 @@ func TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {
t.Context(),
conn,
nil,
nil,
0,
0*time.Second,
0*time.Second,

6
credentials/credentials.go
View File

@ -10,8 +10,6 @@ import (
const (
logFieldOriginCertPath = "originCertPath"
FedEndpoint = "fed"
FedRampBaseApiURL = "https://api.fed.cloudflare.com/client/v4"
FedRampHostname = "management.fed.argotunnel.com"
)
type User struct {
@ -23,10 +21,6 @@ func (c User) AccountID() string {
return c.cert.AccountID
}
func (c User) Endpoint() string {
return c.cert.Endpoint
}
func (c User) ZoneID() string {
return c.cert.ZoneID
}

6
features/features.go
View File

@ -10,10 +10,9 @@ const (
FeaturePostQuantum = "postquantum"
FeatureQUICSupportEOF = "support_quic_eof"
FeatureManagementLogs = "management_logs"
FeatureDatagramV3_2 = "support_datagram_v3_2"
FeatureDatagramV3_1 = "support_datagram_v3_1"
DeprecatedFeatureDatagramV3 = "support_datagram_v3" // Deprecated: TUN-9291
DeprecatedFeatureDatagramV3_1 = "support_datagram_v3_1" // Deprecated: TUN-9883
)
var defaultFeatures = []string{
@ -27,7 +26,6 @@ var defaultFeatures = []string{
// List of features that are no longer in-use.
var deprecatedFeatures = []string{
DeprecatedFeatureDatagramV3,
DeprecatedFeatureDatagramV3_1,
}
// Features set by user provided flags
@ -60,7 +58,7 @@ const (
// DatagramV2 is the currently supported datagram protocol for UDP and ICMP packets
DatagramV2 DatagramVersion = FeatureDatagramV2
// DatagramV3 is a new datagram protocol for UDP and ICMP packets. It is not backwards compatible with datagram v2.
DatagramV3 DatagramVersion = FeatureDatagramV3_2
DatagramV3 DatagramVersion = FeatureDatagramV3_1
)
// Remove any duplicate features from the list and remove deprecated features

5
features/selector.go
View File

@ -23,10 +23,9 @@ const (
// If the TXT record is missing a key, the field will unmarshal to the default Go value
type featuresRecord struct {
DatagramV3Percentage uint32 `json:"dv3_2"`
DatagramV3Percentage uint32 `json:"dv3_1"`
// DatagramV3Percentage int32 `json:"dv3"` // Removed in TUN-9291
// DatagramV3Percentage uint32 `json:"dv3_1"` // Removed in TUN-9883
// PostQuantumPercentage int32 `json:"pq"` // Removed in TUN-7970
}
@ -106,7 +105,7 @@ func (fs *featureSelector) postQuantumMode() PostQuantumMode {
func (fs *featureSelector) datagramVersion() DatagramVersion {
// If user provides the feature via the cli, we take it as priority over remote feature evaluation
if slices.Contains(fs.cliFeatures, FeatureDatagramV3_2) {
if slices.Contains(fs.cliFeatures, FeatureDatagramV3_1) {
return DatagramV3
}
// If the user specifies DatagramV2, we also take that over remote

20
features/selector_test.go
View File

@ -22,15 +22,15 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
expectedPercentage uint32
}{
{
record: []byte(`{"dv3_2":0}`),
record: []byte(`{"dv3_1":0}`),
expectedPercentage: 0,
},
{
record: []byte(`{"dv3_2":39}`),
record: []byte(`{"dv3_1":39}`),
expectedPercentage: 39,
},
{
record: []byte(`{"dv3_2":100}`),
record: []byte(`{"dv3_1":100}`),
expectedPercentage: 100,
},
{
@ -40,7 +40,7 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
record: []byte(`{"kyber":768}`), // Unmarshal to default struct if key is not present
},
{
record: []byte(`{"pq": 101,"dv3":100,"dv3_1":100}`), // Expired keys don't unmarshal to anything
record: []byte(`{"pq": 101,"dv3":100}`), // Expired keys don't unmarshal to anything
},
}
@ -111,10 +111,10 @@ func TestFeaturePrecedenceEvaluationDatagramVersion(t *testing.T) {
},
{
name: "user_specified_v3",
cli: []string{FeatureDatagramV3_2},
cli: []string{FeatureDatagramV3_1},
remote: featuresRecord{},
expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_2)),
expectedVersion: FeatureDatagramV3_2,
expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_1)),
expectedVersion: FeatureDatagramV3_1,
},
}
@ -150,12 +150,6 @@ func TestDeprecatedFeaturesRemoved(t *testing.T) {
remote: featuresRecord{},
expectedFeatures: defaultFeatures,
},
{
name: "support_datagram_v3_1",
cli: []string{DeprecatedFeatureDatagramV3_1},
remote: featuresRecord{},
expectedFeatures: defaultFeatures,
},
}
for _, test := range tests {

3
.ci/scripts/fmt-check.sh → fmt-check.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
set -e -o pipefail
OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
OUTPUT=$(goimports -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
if [ -n "$OUTPUT" ] ; then
PAGER=$(which colordiff || echo cat)

2
go.mod
View File

@ -10,7 +10,7 @@ require (
github.com/fortytw2/leaktest v1.3.0
github.com/fsnotify/fsnotify v1.4.9
github.com/getsentry/sentry-go v0.16.0
github.com/go-chi/chi/v5 v5.2.2
github.com/go-chi/chi/v5 v5.0.10
github.com/go-chi/cors v1.2.1
github.com/go-jose/go-jose/v4 v4.1.0
github.com/gobwas/ws v1.2.1

4
go.sum
View File

@ -58,8 +58,8 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=

2
ingress/ingress.go
View File

@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
return Ingress{}, err
}
if access.Required {
verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
handlers = append(handlers, verifier)
}
}

11
ingress/middleware/jwtvalidator.go
View File

@ -6,8 +6,6 @@ import (
"net/http"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/cloudflare/cloudflared/credentials"
)
const (
@ -16,7 +14,6 @@ const (
var (
cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"
cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"
)
// JWTValidator is an implementation of Verifier that validates access based JWT tokens.
@ -25,14 +22,10 @@ type JWTValidator struct {
audTags []string
}
func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {
var certsURL string
if environment == credentials.FedEndpoint {
certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)
} else {
func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator {
if certsURL == "" {
certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)
}
certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)
config := &oidc.Config{

20
ingress/origin_connection.go
View File

@ -19,7 +19,7 @@ import (
type OriginConnection interface {
// Stream should generally be implemented as a bidirectional io.Copy.
Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)
Close() error
Close()
}
type streamHandlerFunc func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)
@ -48,7 +48,16 @@ func (tc *tcpConnection) Write(b []byte) (int, error) {
}
}
return tc.Conn.Write(b)
nBytes, err := tc.Conn.Write(b)
if err != nil {
tc.logger.Err(err).Msg("Error writing to the TCP connection")
}
return nBytes, err
}
func (tc *tcpConnection) Close() {
tc.Conn.Close()
}
// tcpOverWSConnection is an OriginConnection that streams to TCP over WS.
@ -66,8 +75,8 @@ func (wc *tcpOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWri
wsConn.Close()
}
func (wc *tcpOverWSConnection) Close() error {
return wc.conn.Close()
func (wc *tcpOverWSConnection) Close() {
wc.conn.Close()
}
// socksProxyOverWSConnection is an OriginConnection that streams SOCKS connections over WS.
@ -86,6 +95,5 @@ func (sp *socksProxyOverWSConnection) Stream(ctx context.Context, tunnelConn io.
wsConn.Close()
}
func (sp *socksProxyOverWSConnection) Close() error {
return nil
func (sp *socksProxyOverWSConnection) Close() {
}

163
ingress/origin_dialer.go
View File

@ -1,163 +0,0 @@
package ingress
import (
"context"
"fmt"
"net"
"net/netip"
"sync"
"time"
"github.com/rs/zerolog"
)
const writeDeadlineUDP = 200 * time.Millisecond
// OriginTCPDialer provides a TCP dial operation to a requested address.
type OriginTCPDialer interface {
DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)
}
// OriginUDPDialer provides a UDP dial operation to a requested address.
type OriginUDPDialer interface {
DialUDP(addr netip.AddrPort) (net.Conn, error)
}
// OriginDialer provides both TCP and UDP dial operations to an address.
type OriginDialer interface {
OriginTCPDialer
OriginUDPDialer
}
type OriginConfig struct {
// The default Dialer used if no reserved services are found for an origin request.
DefaultDialer OriginDialer
// Timeout on write operations for TCP connections to the origin.
TCPWriteTimeout time.Duration
}
// OriginDialerService provides a proxy TCP and UDP dialer to origin services while allowing reserved
// services to be provided. These reserved services are assigned to specific [netip.AddrPort]s
// and provide their own [OriginDialer]'s to handle origin dialing per protocol.
type OriginDialerService struct {
// Reserved TCP services for reserved AddrPort values
reservedTCPServices map[netip.AddrPort]OriginTCPDialer
// Reserved UDP services for reserved AddrPort values
reservedUDPServices map[netip.AddrPort]OriginUDPDialer
// The default Dialer used if no reserved services are found for an origin request
defaultDialer OriginDialer
defaultDialerM sync.RWMutex
// Write timeout for TCP connections
writeTimeout time.Duration
logger *zerolog.Logger
}
func NewOriginDialer(config OriginConfig, logger *zerolog.Logger) *OriginDialerService {
return &OriginDialerService{
reservedTCPServices: map[netip.AddrPort]OriginTCPDialer{},
reservedUDPServices: map[netip.AddrPort]OriginUDPDialer{},
defaultDialer: config.DefaultDialer,
writeTimeout: config.TCPWriteTimeout,
logger: logger,
}
}
// AddReservedService adds a reserved virtual service to dial to.
// Not locked and expected to be initialized before calling first dial and not afterwards.
func (d *OriginDialerService) AddReservedService(service OriginDialer, addrs []netip.AddrPort) {
for _, addr := range addrs {
d.reservedTCPServices[addr] = service
d.reservedUDPServices[addr] = service
}
}
// UpdateDefaultDialer updates the default dialer.
func (d *OriginDialerService) UpdateDefaultDialer(dialer *Dialer) {
d.defaultDialerM.Lock()
defer d.defaultDialerM.Unlock()
d.defaultDialer = dialer
}
// DialTCP will perform a dial TCP to the requested addr.
func (d *OriginDialerService) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
conn, err := d.dialTCP(ctx, addr)
if err != nil {
return nil, err
}
// Assign the write timeout for the TCP operations
return &tcpConnection{
Conn: conn,
writeTimeout: d.writeTimeout,
logger: d.logger,
}, nil
}
func (d *OriginDialerService) dialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
// Check to see if any reserved services are available for this addr and call their dialer instead.
if dialer, ok := d.reservedTCPServices[addr]; ok {
return dialer.DialTCP(ctx, addr)
}
d.defaultDialerM.RLock()
dialer := d.defaultDialer
d.defaultDialerM.RUnlock()
return dialer.DialTCP(ctx, addr)
}
// DialUDP will perform a dial UDP to the requested addr.
func (d *OriginDialerService) DialUDP(addr netip.AddrPort) (net.Conn, error) {
// Check to see if any reserved services are available for this addr and call their dialer instead.
if dialer, ok := d.reservedUDPServices[addr]; ok {
return dialer.DialUDP(addr)
}
d.defaultDialerM.RLock()
dialer := d.defaultDialer
d.defaultDialerM.RUnlock()
return dialer.DialUDP(addr)
}
type Dialer struct {
Dialer net.Dialer
}
func NewDialer(config WarpRoutingConfig) *Dialer {
return &Dialer{
Dialer: net.Dialer{
Timeout: config.ConnectTimeout.Duration,
KeepAlive: config.TCPKeepAlive.Duration,
},
}
}
func (d *Dialer) DialTCP(ctx context.Context, dest netip.AddrPort) (net.Conn, error) {
conn, err := d.Dialer.DialContext(ctx, "tcp", dest.String())
if err != nil {
return nil, fmt.Errorf("unable to dial tcp to origin %s: %w", dest, err)
}
return conn, nil
}
func (d *Dialer) DialUDP(dest netip.AddrPort) (net.Conn, error) {
conn, err := d.Dialer.Dial("udp", dest.String())
if err != nil {
return nil, fmt.Errorf("unable to dial udp to origin %s: %w", dest, err)
}
return &writeDeadlineConn{
Conn: conn,
}, nil
}
// writeDeadlineConn is a wrapper around a net.Conn that sets a write deadline of 200ms.
// This is to prevent the socket from blocking on the write operation if it were to occur. However,
// we typically never expect this to occur except under high load or kernel issues.
type writeDeadlineConn struct {
net.Conn
}
func (w *writeDeadlineConn) Write(b []byte) (int, error) {
if err := w.SetWriteDeadline(time.Now().Add(writeDeadlineUDP)); err != nil {
return 0, err
}
return w.Conn.Write(b)
}

46
ingress/origin_udp_proxy.go Normal file
View File

@ -0,0 +1,46 @@
package ingress
import (
"fmt"
"io"
"net"
"net/netip"
)
type UDPProxy interface {
io.ReadWriteCloser
LocalAddr() net.Addr
}
type udpProxy struct {
*net.UDPConn
}
func DialUDP(dstIP net.IP, dstPort uint16) (UDPProxy, error) {
dstAddr := &net.UDPAddr{
IP: dstIP,
Port: int(dstPort),
}
// We use nil as local addr to force runtime to find the best suitable local address IP given the destination
// address as context.
udpConn, err := net.DialUDP("udp", nil, dstAddr)
if err != nil {
return nil, fmt.Errorf("unable to create UDP proxy to origin (%v:%v): %w", dstIP, dstPort, err)
}
return &udpProxy{udpConn}, nil
}
func DialUDPAddrPort(dest netip.AddrPort) (*net.UDPConn, error) {
addr := net.UDPAddrFromAddrPort(dest)
// We use nil as local addr to force runtime to find the best suitable local address IP given the destination
// address as context.
udpConn, err := net.DialUDP("udp", nil, addr)
if err != nil {
return nil, fmt.Errorf("unable to dial udp to origin %s: %w", dest, err)
}
return udpConn, nil
}

219
ingress/origins/dns.go
View File

@ -1,219 +0,0 @@
package origins
import (
"context"
"crypto/rand"
"math/big"
"net"
"net/netip"
"slices"
"sync"
"time"
"github.com/rs/zerolog"
"github.com/cloudflare/cloudflared/ingress"
)
const (
// We need a DNS record:
// 1. That will be around for as long as cloudflared is
// 2. That Cloudflare controls: to allow us to make changes if needed
// 3. That is an external record to a typical customer's network: enforcing that the DNS request go to the
// local DNS resolver over any local /etc/host configurations setup.
// 4. That cloudflared would normally query: ensuring that users with a positive security model for DNS queries
// don't need to adjust anything.
//
// This hostname is one that used during the edge discovery process and as such satisfies the above constraints.
defaultLookupHost = "region1.v2.argotunnel.com"
defaultResolverPort uint16 = 53
// We want the refresh time to be short to accommodate DNS resolver changes locally, but not too frequent as to
// shuffle the resolver if multiple are configured.
refreshFreq = 5 * time.Minute
refreshTimeout = 5 * time.Second
)
var (
// Virtual DNS service address
VirtualDNSServiceAddr = netip.AddrPortFrom(netip.MustParseAddr("2606:4700:0cf1:2000:0000:0000:0000:0001"), 53)
defaultResolverAddr = netip.AddrPortFrom(netip.MustParseAddr("127.0.0.1"), defaultResolverPort)
)
type netDial func(network string, address string) (net.Conn, error)
// DNSResolverService will make DNS requests to the local DNS resolver via the Dial method.
type DNSResolverService struct {
addresses []netip.AddrPort
addressesM sync.RWMutex
static bool
dialer ingress.OriginDialer
resolver peekResolver
logger *zerolog.Logger
metrics Metrics
}
func NewDNSResolverService(dialer ingress.OriginDialer, logger *zerolog.Logger, metrics Metrics) *DNSResolverService {
return &DNSResolverService{
addresses: []netip.AddrPort{defaultResolverAddr},
dialer: dialer,
resolver: &resolver{dialFunc: net.Dial},
logger: logger,
metrics: metrics,
}
}
func NewStaticDNSResolverService(resolverAddrs []netip.AddrPort, dialer ingress.OriginDialer, logger *zerolog.Logger, metrics Metrics) *DNSResolverService {
s := NewDNSResolverService(dialer, logger, metrics)
s.addresses = resolverAddrs
s.static = true
return s
}
func (s *DNSResolverService) DialTCP(ctx context.Context, _ netip.AddrPort) (net.Conn, error) {
s.metrics.IncrementDNSTCPRequests()
dest := s.getAddress()
// The dialer ignores the provided address because the request will instead go to the local DNS resolver.
return s.dialer.DialTCP(ctx, dest)
}
func (s *DNSResolverService) DialUDP(_ netip.AddrPort) (net.Conn, error) {
s.metrics.IncrementDNSUDPRequests()
dest := s.getAddress()
// The dialer ignores the provided address because the request will instead go to the local DNS resolver.
return s.dialer.DialUDP(dest)
}
// StartRefreshLoop is a routine that is expected to run in the background to update the DNS local resolver if
// adjusted while the cloudflared process is running.
// Does not run when the resolver was provided with external resolver addresses via CLI.
func (s *DNSResolverService) StartRefreshLoop(ctx context.Context) {
if s.static {
s.logger.Debug().Msgf("Canceled DNS local resolver refresh loop because static resolver addresses were provided: %s", s.addresses)
return
}
// Call update first to load an address before handling traffic
err := s.update(ctx)
if err != nil {
s.logger.Err(err).Msg("Failed to initialize DNS local resolver")
}
for {
select {
case <-ctx.Done():
return
case <-time.Tick(refreshFreq):
err := s.update(ctx)
if err != nil {
s.logger.Err(err).Msg("Failed to refresh DNS local resolver")
}
}
}
}
func (s *DNSResolverService) update(ctx context.Context) error {
ctx, cancel := context.WithTimeout(ctx, refreshTimeout)
defer cancel()
// Make a standard DNS request to a well-known DNS record that will last a long time
_, err := s.resolver.lookupNetIP(ctx, defaultLookupHost)
if err != nil {
return err
}
// Validate the address before updating internal reference
_, address := s.resolver.addr()
peekAddrPort, err := netip.ParseAddrPort(address)
if err == nil {
s.setAddress(peekAddrPort)
return nil
}
// It's possible that the address didn't have an attached port, attempt to parse just the address and use
// the default port 53
peekAddr, err := netip.ParseAddr(address)
if err != nil {
return err
}
s.setAddress(netip.AddrPortFrom(peekAddr, defaultResolverPort))
return nil
}
// returns the address from the peekResolver or from the static addresses if provided.
// If multiple addresses are provided in the static addresses pick one randomly.
func (s *DNSResolverService) getAddress() netip.AddrPort {
s.addressesM.RLock()
defer s.addressesM.RUnlock()
l := len(s.addresses)
if l <= 0 {
return defaultResolverAddr
}
if l == 1 {
return s.addresses[0]
}
// Only initialize the random selection if there is more than one element in the list.
var i int64 = 0
r, err := rand.Int(rand.Reader, big.NewInt(int64(l)))
// We ignore errors from crypto rand and use index 0; this should be extremely unlikely and the
// list index doesn't need to be cryptographically secure, but linters insist.
if err == nil {
i = r.Int64()
}
return s.addresses[i]
}
// lock and update the address used for the local DNS resolver
func (s *DNSResolverService) setAddress(addr netip.AddrPort) {
s.addressesM.Lock()
defer s.addressesM.Unlock()
if !slices.Contains(s.addresses, addr) {
s.logger.Debug().Msgf("Updating DNS local resolver: %s", addr)
}
// We only store one address when reading the peekResolver, so we just replace the whole list.
s.addresses = []netip.AddrPort{addr}
}
type peekResolver interface {
addr() (network string, address string)
lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error)
}
// resolver is a shim that inspects the go runtime's DNS resolution process to capture the DNS resolver
// address used to complete a DNS request.
type resolver struct {
network string
address string
dialFunc netDial
}
func (r *resolver) addr() (network string, address string) {
return r.network, r.address
}
func (r *resolver) lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error) {
resolver := &net.Resolver{
PreferGo: true,
// Use the peekDial to inspect the results of the DNS resolver used during the LookupIPAddr call.
Dial: r.peekDial,
}
return resolver.LookupNetIP(ctx, "ip", host)
}
func (r *resolver) peekDial(ctx context.Context, network, address string) (net.Conn, error) {
r.network = network
r.address = address
return r.dialFunc(network, address)
}
// NewDNSDialer creates a custom dialer for the DNS resolver service to utilize.
func NewDNSDialer() *ingress.Dialer {
return &ingress.Dialer{
Dialer: net.Dialer{
// We want short timeouts for the DNS requests
Timeout: 5 * time.Second,
// We do not want keep alive since the edge will not reuse TCP connections per request
KeepAlive: -1,
KeepAliveConfig: net.KeepAliveConfig{
Enable: false,
},
},
}
}

195
ingress/origins/dns_test.go
View File

@ -1,195 +0,0 @@
package origins
import (
"context"
"errors"
"net"
"net/netip"
"slices"
"testing"
"time"
"github.com/rs/zerolog"
)
func TestDNSResolver_DefaultResolver(t *testing.T) {
log := zerolog.Nop()
service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
mockResolver := &mockPeekResolver{
address: "127.0.0.2:53",
}
service.resolver = mockResolver
validateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)
}
func TestStaticDNSResolver_DefaultResolver(t *testing.T) {
log := zerolog.Nop()
addresses := []netip.AddrPort{netip.MustParseAddrPort("1.1.1.1:53"), netip.MustParseAddrPort("1.0.0.1:53")}
service := NewStaticDNSResolverService(addresses, NewDNSDialer(), &log, &noopMetrics{})
mockResolver := &mockPeekResolver{
address: "127.0.0.2:53",
}
service.resolver = mockResolver
validateAddrs(t, addresses, service.addresses)
}
func TestDNSResolver_UpdateResolverAddress(t *testing.T) {
log := zerolog.Nop()
service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
mockResolver := &mockPeekResolver{}
service.resolver = mockResolver
tests := []struct {
addr string
expected netip.AddrPort
}{
{"127.0.0.2:53", netip.MustParseAddrPort("127.0.0.2:53")},
// missing port should be added (even though this is unlikely to happen)
{"127.0.0.3", netip.MustParseAddrPort("127.0.0.3:53")},
}
for _, test := range tests {
mockResolver.address = test.addr
// Update the resolver address
err := service.update(t.Context())
if err != nil {
t.Error(err)
}
// Validate expected
validateAddrs(t, []netip.AddrPort{test.expected}, service.addresses)
}
}
func TestStaticDNSResolver_RefreshLoopExits(t *testing.T) {
log := zerolog.Nop()
addresses := []netip.AddrPort{netip.MustParseAddrPort("1.1.1.1:53"), netip.MustParseAddrPort("1.0.0.1:53")}
service := NewStaticDNSResolverService(addresses, NewDNSDialer(), &log, &noopMetrics{})
mockResolver := &mockPeekResolver{
address: "127.0.0.2:53",
}
service.resolver = mockResolver
ctx, cancel := context.WithCancel(t.Context())
defer cancel()
go service.StartRefreshLoop(ctx)
// Wait for the refresh loop to end _and_ not update the addresses
time.Sleep(10 * time.Millisecond)
// Validate expected
validateAddrs(t, addresses, service.addresses)
}
func TestDNSResolver_UpdateResolverAddressInvalid(t *testing.T) {
log := zerolog.Nop()
service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
mockResolver := &mockPeekResolver{}
service.resolver = mockResolver
invalidAddresses := []string{
"999.999.999.999",
"localhost",
"255.255.255",
}
for _, addr := range invalidAddresses {
mockResolver.address = addr
// Update the resolver address should not update for these invalid addresses
err := service.update(t.Context())
if err == nil {
t.Error("service update should throw an error")
}
// Validate expected
validateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)
}
}
func TestDNSResolver_UpdateResolverErrorIgnored(t *testing.T) {
log := zerolog.Nop()
service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
resolverErr := errors.New("test resolver error")
mockResolver := &mockPeekResolver{err: resolverErr}
service.resolver = mockResolver
// Update the resolver address should not update when the resolver cannot complete the lookup
err := service.update(t.Context())
if err != resolverErr {
t.Error("service update should throw an error")
}
// Validate expected
validateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)
}
func TestDNSResolver_DialUDPUsesResolvedAddress(t *testing.T) {
log := zerolog.Nop()
mockDialer := &mockDialer{expected: defaultResolverAddr}
service := NewDNSResolverService(mockDialer, &log, &noopMetrics{})
mockResolver := &mockPeekResolver{}
service.resolver = mockResolver
// Attempt a dial to 127.0.0.2:53 which should be ignored and instead resolve to 127.0.0.1:53
_, err := service.DialUDP(netip.MustParseAddrPort("127.0.0.2:53"))
if err != nil {
t.Error(err)
}
}
func TestDNSResolver_DialTCPUsesResolvedAddress(t *testing.T) {
log := zerolog.Nop()
mockDialer := &mockDialer{expected: defaultResolverAddr}
service := NewDNSResolverService(mockDialer, &log, &noopMetrics{})
mockResolver := &mockPeekResolver{}
service.resolver = mockResolver
// Attempt a dial to 127.0.0.2:53 which should be ignored and instead resolve to 127.0.0.1:53
_, err := service.DialTCP(t.Context(), netip.MustParseAddrPort("127.0.0.2:53"))
if err != nil {
t.Error(err)
}
}
type mockPeekResolver struct {
err error
address string
}
func (r *mockPeekResolver) addr() (network, address string) {
return "udp", r.address
}
func (r *mockPeekResolver) lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error) {
// We can return an empty result as it doesn't matter as long as the lookup doesn't fail
return []netip.Addr{}, r.err
}
type mockDialer struct {
expected netip.AddrPort
}
func (d *mockDialer) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
if d.expected != addr {
return nil, errors.New("unexpected address dialed")
}
return nil, nil
}
func (d *mockDialer) DialUDP(addr netip.AddrPort) (net.Conn, error) {
if d.expected != addr {
return nil, errors.New("unexpected address dialed")
}
return nil, nil
}
func validateAddrs(t *testing.T, expected []netip.AddrPort, actual []netip.AddrPort) {
if len(actual) != len(expected) {
t.Errorf("addresses should only contain one element: %s", actual)
}
for _, e := range expected {
if !slices.Contains(actual, e) {
t.Errorf("missing address: %s in %s", e, actual)
}
}
}

40
ingress/origins/metrics.go
View File

@ -1,40 +0,0 @@
package origins
import (
"github.com/prometheus/client_golang/prometheus"
)
const (
namespace = "cloudflared"
subsystem = "virtual_origins"
)
type Metrics interface {
IncrementDNSUDPRequests()
IncrementDNSTCPRequests()
}
type metrics struct {
dnsResolverRequests *prometheus.CounterVec
}
func (m *metrics) IncrementDNSUDPRequests() {
m.dnsResolverRequests.WithLabelValues("udp").Inc()
}
func (m *metrics) IncrementDNSTCPRequests() {
m.dnsResolverRequests.WithLabelValues("tcp").Inc()
}
func NewMetrics(registerer prometheus.Registerer) Metrics {
m := &metrics{
dnsResolverRequests: prometheus.NewCounterVec(prometheus.CounterOpts{
Namespace: namespace,
Subsystem: subsystem,
Name: "dns_requests_total",
Help: "Total count of DNS requests that have been proxied to the virtual DNS resolver origin",
}, []string{"protocol"}),
}
registerer.MustRegister(m.dnsResolverRequests)
return m
}

6
ingress/origins/metrics_test.go
View File

@ -1,6 +0,0 @@
package origins
type noopMetrics struct{}
func (noopMetrics) IncrementDNSUDPRequests() {}
func (noopMetrics) IncrementDNSTCPRequests() {}

11
management/middleware.go
View File

@ -12,7 +12,14 @@ const (
accessClaimsCtxKey ctxKey = iota
)
var errMissingAccessToken = managementError{Code: 1001, Message: "missing access_token query parameter"}
const (
connectorIDQuery = "connector_id"
accessTokenQuery = "access_token"
)
var (
errMissingAccessToken = managementError{Code: 1001, Message: "missing access_token query parameter"}
)
// HTTP middleware setting the parsed access_token claims in the request context
func ValidateAccessTokenQueryMiddleware(next http.Handler) http.Handler {
@ -23,7 +30,7 @@ func ValidateAccessTokenQueryMiddleware(next http.Handler) http.Handler {
writeHTTPErrorResponse(w, errMissingAccessToken)
return
}
token, err := ParseToken(accessToken)
token, err := parseToken(accessToken)
if err != nil {
writeHTTPErrorResponse(w, errMissingAccessToken)
return

9
management/token.go
View File

@ -7,12 +7,9 @@ import (
"github.com/go-jose/go-jose/v4/jwt"
)
const tunnelstoreFEDIssuer = "fed-tunnelstore"
type managementTokenClaims struct {
Tunnel tunnel `json:"tun"`
Actor actor `json:"actor"`
jwt.Claims
}
// VerifyTunnel compares the tun claim isn't empty
@ -40,7 +37,7 @@ func (t *actor) verify() bool {
return t.ID != ""
}
func ParseToken(token string) (*managementTokenClaims, error) {
func parseToken(token string) (*managementTokenClaims, error) {
jwt, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.ES256})
if err != nil {
return nil, fmt.Errorf("malformed jwt: %v", err)
@ -57,7 +54,3 @@ func ParseToken(token string) (*managementTokenClaims, error) {
}
return &claims, nil
}
func (m *managementTokenClaims) IsFed() bool {
return m.Issuer == tunnelstoreFEDIssuer
}

6
management/token_test.go
View File

@ -12,7 +12,7 @@ import (
)
const (
validToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ.eyJ0dW4iOnsiaWQiOiI3YjA5ODE0OS01MWZlLTRlZTUtYTY4Ny0zZTM3NDQ2NmVmYzciLCJhY2NvdW50X3RhZyI6ImNkMzkxZTljMDYyNmE4Zjc2Y2IxZjY3MGY2NTkxYjA1In0sImFjdG9yIjp7ImlkIjoiZGNhcnJAY2xvdWRmbGFyZS5jb20iLCJzdXBwb3J0IjpmYWxzZX0sInJlcyI6WyJsb2dzIl0sImV4cCI6MTY3NzExNzY5NiwiaWF0IjoxNjc3MTE0MDk2LCJpc3MiOiJ0dW5uZWxzdG9yZSJ9.mKenOdOy3Xi4O-grldFnAAemdlE9WajEpTDC_FwezXQTstWiRTLwU65P5jt4vNsIiZA4OJRq7bH-QYID9wf9NA" // nolint: gosec
validToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ.eyJ0dW4iOnsiaWQiOiI3YjA5ODE0OS01MWZlLTRlZTUtYTY4Ny0zZTM3NDQ2NmVmYzciLCJhY2NvdW50X3RhZyI6ImNkMzkxZTljMDYyNmE4Zjc2Y2IxZjY3MGY2NTkxYjA1In0sImFjdG9yIjp7ImlkIjoiZGNhcnJAY2xvdWRmbGFyZS5jb20iLCJzdXBwb3J0IjpmYWxzZX0sInJlcyI6WyJsb2dzIl0sImV4cCI6MTY3NzExNzY5NiwiaWF0IjoxNjc3MTE0MDk2LCJpc3MiOiJ0dW5uZWxzdG9yZSJ9.mKenOdOy3Xi4O-grldFnAAemdlE9WajEpTDC_FwezXQTstWiRTLwU65P5jt4vNsIiZA4OJRq7bH-QYID9wf9NA"
accountTag = "cd391e9c0626a8f76cb1f670f6591b05"
tunnelID = "7b098149-51fe-4ee5-a687-3e374466efc7"
@ -105,12 +105,12 @@ func TestParseToken(t *testing.T) {
} {
t.Run(test.name, func(t *testing.T) {
jwt := signToken(t, test.claims, key)
claims, err := ParseToken(jwt)
claims, err := parseToken(jwt)
if test.err != nil {
require.EqualError(t, err, test.err.Error())
return
}
require.NoError(t, err)
require.Nil(t, err)
require.Equal(t, test.claims, *claims)
})
}

3
orchestration/config.go
View File

@ -2,6 +2,7 @@ package orchestration
import (
"encoding/json"
"time"
"github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/ingress"
@ -21,7 +22,7 @@ type newLocalConfig struct {
type Config struct {
Ingress *ingress.Ingress
WarpRouting ingress.WarpRoutingConfig
OriginDialerService *ingress.OriginDialerService
WriteTimeout time.Duration
// Extra settings used to configure this instance but that are not eligible for remotely management
// ie. (--protocol, --loglevel, ...)

16
orchestration/orchestrator.go
View File

@ -38,8 +38,6 @@ type Orchestrator struct {
tags []pogs.Tag
// flowLimiter tracks active sessions across the tunnel and limits new sessions if they are above the limit.
flowLimiter cfdflow.Limiter
// Origin dialer service to manage egress socket dialing.
originDialerService *ingress.OriginDialerService
log *zerolog.Logger
// orchestrator must not handle any more updates after shutdownC is closed
@ -52,8 +50,7 @@ func NewOrchestrator(ctx context.Context,
config *Config,
tags []pogs.Tag,
internalRules []ingress.Rule,
log *zerolog.Logger,
) (*Orchestrator, error) {
log *zerolog.Logger) (*Orchestrator, error) {
o := &Orchestrator{
// Lowest possible version, any remote configuration will have version higher than this
// Starting at -1 allows a configuration migration (local to remote) to override the current configuration as it
@ -63,7 +60,6 @@ func NewOrchestrator(ctx context.Context,
config: config,
tags: tags,
flowLimiter: cfdflow.NewLimiter(config.WarpRouting.MaxActiveFlows),
originDialerService: config.OriginDialerService,
log: log,
shutdownC: ctx.Done(),
}
@ -179,15 +175,7 @@ func (o *Orchestrator) updateIngress(ingressRules ingress.Ingress, warpRouting i
// Update the flow limit since the configuration might have changed
o.flowLimiter.SetLimit(warpRouting.MaxActiveFlows)
// Update the origin dialer service with the new dialer settings
// We need to update the dialer here instead of creating a new instance of OriginDialerService because it has
// its own references and go routines. Specifically, the UDP dialer is a reference to this same service all the
// way into the datagram manager. Reconstructing the datagram manager is not something we currently provide during
// runtime in response to a configuration push except when starting a tunnel connection.
o.originDialerService.UpdateDefaultDialer(ingress.NewDialer(warpRouting))
// Create and replace the origin proxy with a new instance
proxy := proxy.NewOriginProxy(ingressRules, o.originDialerService, o.tags, o.flowLimiter, o.log)
proxy := proxy.NewOriginProxy(ingressRules, warpRouting, o.tags, o.flowLimiter, o.config.WriteTimeout, o.log)
o.proxy.Store(proxy)
o.config.Ingress = &ingressRules
o.config.WarpRouting = warpRouting

116
orchestration/orchestrator_test.go
View File

@ -41,11 +41,6 @@ var (
Value: "test",
},
}
testDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{
ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
TCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},
MaxActiveFlows: 0,
})
)
// TestUpdateConfiguration tests that
@ -55,13 +50,8 @@ var (
// - configurations can be deserialized
// - receiving an old version is noop
func TestUpdateConfiguration(t *testing.T) {
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &testLogger)
initConfig := &Config{
Ingress: &ingress.Ingress{},
OriginDialerService: originDialer,
}
orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{ingress.NewManagementRule(management.New("management.argotunnel.com", false, "1.1.1.1:80", uuid.Nil, "", &testLogger, nil))}, &testLogger)
require.NoError(t, err)
@ -189,13 +179,8 @@ func TestUpdateConfiguration(t *testing.T) {
// Validates that a new version 0 will be applied if the configuration is loaded locally.
// This will happen when a locally managed tunnel is migrated to remote configuration and receives its first configuration.
func TestUpdateConfiguration_FromMigration(t *testing.T) {
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &testLogger)
initConfig := &Config{
Ingress: &ingress.Ingress{},
OriginDialerService: originDialer,
}
orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)
require.NoError(t, err)
@ -220,13 +205,8 @@ func TestUpdateConfiguration_FromMigration(t *testing.T) {
// Validates that the default ingress rule will be set if there is no rule provided from the remote.
func TestUpdateConfiguration_WithoutIngressRule(t *testing.T) {
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &testLogger)
initConfig := &Config{
Ingress: &ingress.Ingress{},
OriginDialerService: originDialer,
}
orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)
require.NoError(t, err)
@ -264,11 +244,6 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
require.NoError(t, err)
defer tcpOrigin.Close()
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &testLogger)
var (
configJSONV1 = []byte(fmt.Sprintf(`
{
@ -322,7 +297,6 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
initConfig = &Config{
Ingress: &ingress.Ingress{},
OriginDialerService: originDialer,
}
)
@ -339,7 +313,7 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
go func() {
serveTCPOrigin(t, tcpOrigin, &wg)
}()
for i := range concurrentRequests {
for i := 0; i < concurrentRequests; i++ {
originProxy, err := orchestrator.GetOriginProxy()
require.NoError(t, err)
wg.Add(1)
@ -349,37 +323,48 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
assert.NoError(t, err, "proxyHTTP %d failed %v", i, err)
defer resp.Body.Close()
var warpRoutingDisabled bool
// The response can be from initOrigin, http_status:204 or http_status:418
switch resp.StatusCode {
// v1 proxy
// v1 proxy, warp enabled
case 200:
body, err := io.ReadAll(resp.Body)
assert.NoError(t, err)
assert.Equal(t, t.Name(), string(body))
// v2 proxy
warpRoutingDisabled = false
// v2 proxy, warp disabled
case 204:
assert.Greater(t, i, concurrentRequests/4)
// v3 proxy
warpRoutingDisabled = true
// v3 proxy, warp enabled
case 418:
assert.Greater(t, i, concurrentRequests/2)
warpRoutingDisabled = false
}
// Once we have originProxy, it won't be changed by configuration updates.
// We can infer the version by the ProxyHTTP response code
pr, pw := io.Pipe()
w := newRespReadWriteFlusher()
// Write TCP message and make sure it's echo back. This has to be done in a go routune since ProxyTCP doesn't
// return until the stream is closed.
if !warpRoutingDisabled {
wg.Add(1)
go func() {
defer wg.Done()
defer pw.Close()
tcpEyeball(t, pw, tcpBody, w)
}()
}
err = proxyTCP(ctx, originProxy, tcpOrigin.Addr().String(), w, pr)
if warpRoutingDisabled {
assert.Error(t, err, "expect proxyTCP %d to return error", i)
} else {
assert.NoError(t, err, "proxyTCP %d failed %v", i, err)
}
}(i, originProxy)
if i == concurrentRequests/4 {
@ -421,47 +406,39 @@ func TestOverrideWarpRoutingConfigWithLocalValues(t *testing.T) {
require.EqualValues(t, expectedValue, warpRouting["maxActiveFlows"])
}
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &testLogger)
// All the possible values set for MaxActiveFlows from the various points that can provide it:
// 1. Initialized value
// 2. Local CLI flag config
// 3. Remote configuration value
initValue := uint64(0)
localValue := uint64(100)
remoteValue := uint64(500)
initConfig := &Config{
Ingress: &ingress.Ingress{},
WarpRouting: ingress.WarpRoutingConfig{
MaxActiveFlows: initValue,
},
OriginDialerService: originDialer,
ConfigurationFlags: map[string]string{
flags.MaxActiveFlows: fmt.Sprintf("%d", localValue),
},
}
// We expect the local configuration flag to be the starting value
orchestrator, err := NewOrchestrator(ctx, initConfig, testTags, []ingress.Rule{}, &testLogger)
require.NoError(t, err)
assertMaxActiveFlows(orchestrator, localValue)
// Assigning the MaxActiveFlows in the remote config should be ignored over the local config
remoteValue := uint64(100)
remoteIngress := ingress.Ingress{}
remoteWarpConfig := ingress.WarpRoutingConfig{
MaxActiveFlows: remoteValue,
}
remoteConfig := &Config{
Ingress: &remoteIngress,
WarpRouting: remoteWarpConfig,
ConfigurationFlags: map[string]string{},
}
orchestrator, err := NewOrchestrator(ctx, remoteConfig, testTags, []ingress.Rule{}, &testLogger)
require.NoError(t, err)
assertMaxActiveFlows(orchestrator, remoteValue)
// Add a local override for the maxActiveFlows
localValue := uint64(500)
remoteConfig.ConfigurationFlags[flags.MaxActiveFlows] = fmt.Sprintf("%d", localValue)
// Force a configuration refresh
err = orchestrator.updateIngress(ingress.Ingress{}, remoteWarpConfig)
err = orchestrator.updateIngress(remoteIngress, remoteWarpConfig)
require.NoError(t, err)
// Check the value being used is the local one
assertMaxActiveFlows(orchestrator, localValue)
// Remove local override for the maxActiveFlows
delete(remoteConfig.ConfigurationFlags, flags.MaxActiveFlows)
// Force a configuration refresh
err = orchestrator.updateIngress(remoteIngress, remoteWarpConfig)
require.NoError(t, err)
// Check the value being used is now the remote again
assertMaxActiveFlows(orchestrator, remoteValue)
}
func proxyHTTP(originProxy connection.OriginProxy, hostname string) (*http.Response, error) {
@ -569,10 +546,6 @@ func updateWithValidation(t *testing.T, orchestrator *Orchestrator, version int3
// TestClosePreviousProxies makes sure proxies started in the previous configuration version are shutdown
func TestClosePreviousProxies(t *testing.T) {
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &testLogger)
var (
hostname = "hello.tunnel1.org"
configWithHelloWorld = []byte(fmt.Sprintf(`
@ -604,7 +577,6 @@ func TestClosePreviousProxies(t *testing.T) {
`)
initConfig = &Config{
Ingress: &ingress.Ingress{},
OriginDialerService: originDialer,
}
)
@ -666,13 +638,8 @@ func TestPersistentConnection(t *testing.T) {
hostname = "http://ws.tunnel.org"
)
msg := t.Name()
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &testLogger)
initConfig := &Config{
Ingress: &ingress.Ingress{},
OriginDialerService: originDialer,
}
orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)
require.NoError(t, err)
@ -785,9 +752,8 @@ func TestSerializeLocalConfig(t *testing.T) {
ConfigurationFlags: map[string]string{"a": "b"},
}
result, err := json.Marshal(c)
require.NoError(t, err)
require.JSONEq(t, `{"__configuration_flags":{"a":"b"},"ingress":[],"warp-routing":{"connectTimeout":0,"tcpKeepAlive":0}}`, string(result))
result, _ := json.Marshal(c)
fmt.Println(string(result))
}
func wsEcho(w http.ResponseWriter, r *http.Request) {

2
postinst.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash
set -eu
ln -sf /usr/bin/cloudflared /usr/local/bin/cloudflared
ln -s /usr/bin/cloudflared /usr/local/bin/cloudflared
mkdir -p /usr/local/etc/cloudflared/
touch /usr/local/etc/cloudflared/.installedFromPackageManager || true

72
proxy/proxy.go
View File

@ -5,11 +5,11 @@ import (
"fmt"
"io"
"net/http"
"net/netip"
"strconv"
"time"
"github.com/pkg/errors"
pkgerrors "github.com/pkg/errors"
"github.com/rs/zerolog"
"go.opentelemetry.io/otel/attribute"
"go.opentelemetry.io/otel/trace"
@ -35,7 +35,7 @@ const (
// Proxy represents a means to Proxy between cloudflared and the origin services.
type Proxy struct {
ingressRules ingress.Ingress
originDialer ingress.OriginTCPDialer
warpRouting *ingress.WarpRoutingService
tags []pogs.Tag
flowLimiter cfdflow.Limiter
log *zerolog.Logger
@ -44,19 +44,21 @@ type Proxy struct {
// NewOriginProxy returns a new instance of the Proxy struct.
func NewOriginProxy(
ingressRules ingress.Ingress,
originDialer ingress.OriginDialer,
warpRouting ingress.WarpRoutingConfig,
tags []pogs.Tag,
flowLimiter cfdflow.Limiter,
writeTimeout time.Duration,
log *zerolog.Logger,
) *Proxy {
proxy := &Proxy{
ingressRules: ingressRules,
originDialer: originDialer,
tags: tags,
flowLimiter: flowLimiter,
log: log,
}
proxy.warpRouting = ingress.NewWarpRoutingService(warpRouting, writeTimeout)
return proxy
}
@ -144,18 +146,24 @@ func (p *Proxy) ProxyHTTP(
// ProxyTCP proxies to a TCP connection between the origin service and cloudflared.
func (p *Proxy) ProxyTCP(
ctx context.Context,
conn connection.ReadWriteAcker,
rwa connection.ReadWriteAcker,
req *connection.TCPRequest,
) error {
incrementTCPRequests()
defer decrementTCPConcurrentRequests()
if p.warpRouting == nil {
err := errors.New(`cloudflared received a request from WARP client, but your configuration has disabled ingress from WARP clients. To enable this, set "warp-routing:\n\t enabled: true" in your config.yaml`)
p.log.Error().Msg(err.Error())
return err
}
logger := newTCPLogger(p.log, req)
// Try to start a new flow
if err := p.flowLimiter.Acquire(management.TCP.String()); err != nil {
logger.Warn().Msg("Too many concurrent flows being handled, rejecting tcp proxy")
return errors.Wrap(err, "failed to start tcp flow due to rate limiting")
return pkgerrors.Wrap(err, "failed to start tcp flow due to rate limiting")
}
defer p.flowLimiter.Release()
@ -165,14 +173,7 @@ func (p *Proxy) ProxyTCP(
tracedCtx := tracing.NewTracedContext(serveCtx, req.CfTraceID, &logger)
logger.Debug().Msg("tcp proxy stream started")
// Parse the destination into a netip.AddrPort
dest, err := netip.ParseAddrPort(req.Dest)
if err != nil {
logRequestError(&logger, err)
return err
}
if err := p.proxyTCPStream(tracedCtx, conn, dest, p.originDialer, &logger); err != nil {
if err := p.proxyStream(tracedCtx, rwa, req.Dest, p.warpRouting.Proxy, &logger); err != nil {
logRequestError(&logger, err)
return err
}
@ -278,14 +279,14 @@ func (p *Proxy) proxyStream(
tr *tracing.TracedContext,
rwa connection.ReadWriteAcker,
dest string,
originDialer ingress.StreamBasedOriginProxy,
connectionProxy ingress.StreamBasedOriginProxy,
logger *zerolog.Logger,
) error {
ctx := tr.Context
_, connectSpan := tr.Tracer().Start(ctx, "stream-connect")
start := time.Now()
originConn, err := originDialer.EstablishConnection(ctx, dest, logger)
originConn, err := connectionProxy.EstablishConnection(ctx, dest, logger)
if err != nil {
connectStreamErrors.Inc()
tracing.EndWithErrorStatus(connectSpan, err)
@ -309,45 +310,6 @@ func (p *Proxy) proxyStream(
return nil
}
// proxyTCPStream proxies private network type TCP connections as a stream towards an available origin.
//
// This is different than proxyStream because it's not leveraged ingress rule services and uses the
// originDialer from OriginDialerService.
func (p *Proxy) proxyTCPStream(
tr *tracing.TracedContext,
tunnelConn connection.ReadWriteAcker,
dest netip.AddrPort,
originDialer ingress.OriginTCPDialer,
logger *zerolog.Logger,
) error {
ctx := tr.Context
_, connectSpan := tr.Tracer().Start(ctx, "stream-connect")
start := time.Now()
originConn, err := originDialer.DialTCP(ctx, dest)
if err != nil {
connectStreamErrors.Inc()
tracing.EndWithErrorStatus(connectSpan, err)
return err
}
connectSpan.End()
defer originConn.Close()
logger.Debug().Msg("origin connection established")
encodedSpans := tr.GetSpans()
if err := tunnelConn.AckConnection(encodedSpans); err != nil {
connectStreamErrors.Inc()
return err
}
connectLatency.Observe(float64(time.Since(start).Milliseconds()))
logger.Debug().Msg("proxy stream acknowledged")
stream.Pipe(tunnelConn, originConn, logger)
return nil
}
func (p *Proxy) proxyLocalRequest(proxy ingress.HTTPLocalProxy, w connection.ResponseWriter, req *http.Request, isWebsocket bool) {
if isWebsocket {
// These headers are added since they are stripped off during an eyeball request to origintunneld, but they

70
proxy/proxy_test.go
View File

@ -33,17 +33,17 @@ import (
"github.com/cloudflare/cloudflared/connection"
"github.com/cloudflare/cloudflared/hello"
"github.com/cloudflare/cloudflared/ingress"
"github.com/cloudflare/cloudflared/logger"
"github.com/cloudflare/cloudflared/tracing"
"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
)
var (
testTags = []pogs.Tag{{Name: "Name", Value: "value"}}
testDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{
ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
TCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},
MaxActiveFlows: 0,
})
noWarpRouting = ingress.WarpRoutingConfig{}
testWarpRouting = ingress.WarpRoutingConfig{
ConnectTimeout: config.CustomDuration{Duration: time.Second},
}
)
type mockHTTPRespWriter struct {
@ -162,12 +162,7 @@ func TestProxySingleOrigin(t *testing.T) {
require.NoError(t, ingressRule.StartOrigins(&log, ctx.Done()))
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &log)
proxy := NewOriginProxy(ingressRule, originDialer, testTags, cfdflow.NewLimiter(0), &log)
proxy := NewOriginProxy(ingressRule, noWarpRouting, testTags, cfdflow.NewLimiter(0), time.Duration(0), &log)
t.Run("testProxyHTTP", testProxyHTTP(proxy))
t.Run("testProxyWebsocket", testProxyWebsocket(proxy))
t.Run("testProxySSE", testProxySSE(proxy))
@ -362,7 +357,7 @@ type MultipleIngressTest struct {
}
func runIngressTestScenarios(t *testing.T, unvalidatedIngress []config.UnvalidatedIngressRule, tests []MultipleIngressTest) {
ingressRule, err := ingress.ParseIngress(&config.Configuration{
ingress, err := ingress.ParseIngress(&config.Configuration{
TunnelID: t.Name(),
Ingress: unvalidatedIngress,
})
@ -371,14 +366,9 @@ func runIngressTestScenarios(t *testing.T, unvalidatedIngress []config.Unvalidat
log := zerolog.Nop()
ctx, cancel := context.WithCancel(t.Context())
require.NoError(t, ingressRule.StartOrigins(&log, ctx.Done()))
require.NoError(t, ingress.StartOrigins(&log, ctx.Done()))
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &log)
proxy := NewOriginProxy(ingressRule, originDialer, testTags, cfdflow.NewLimiter(0), &log)
proxy := NewOriginProxy(ingress, noWarpRouting, testTags, cfdflow.NewLimiter(0), time.Duration(0), &log)
for _, test := range tests {
responseWriter := newMockHTTPRespWriter()
@ -426,12 +416,7 @@ func TestProxyError(t *testing.T) {
log := zerolog.Nop()
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 1 * time.Second,
}, &log)
proxy := NewOriginProxy(ing, originDialer, testTags, cfdflow.NewLimiter(0), &log)
proxy := NewOriginProxy(ing, noWarpRouting, testTags, cfdflow.NewLimiter(0), time.Duration(0), &log)
responseWriter := newMockHTTPRespWriter()
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1", nil)
@ -482,7 +467,7 @@ func (r *replayer) Bytes() []byte {
// WS - TCP: When a tcp based ingress is configured on the origin and the
// eyeball sends tcp packets wrapped in websockets. (E.g: cloudflared access).
func TestConnections(t *testing.T) {
log := zerolog.Nop()
logger := logger.Create(nil)
replayer := &replayer{rw: bytes.NewBuffer([]byte{})}
type args struct {
ingressServiceScheme string
@ -490,6 +475,9 @@ func TestConnections(t *testing.T) {
eyeballResponseWriter connection.ResponseWriter
eyeballRequestBody io.ReadCloser
// Can be set to nil to show warp routing is not enabled.
warpRoutingService *ingress.WarpRoutingService
// eyeball connection type.
connectionType connection.Type
@ -500,11 +488,6 @@ func TestConnections(t *testing.T) {
flowLimiterResponse error
}
originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
type want struct {
message []byte
headers http.Header
@ -547,6 +530,7 @@ func TestConnections(t *testing.T) {
originService: runEchoTCPService,
eyeballResponseWriter: newTCPRespWriter(replayer),
eyeballRequestBody: newTCPRequestBody([]byte("test2")),
warpRoutingService: ingress.NewWarpRoutingService(testWarpRouting, time.Duration(0)),
connectionType: connection.TypeTCP,
requestHeaders: map[string][]string{
"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
@ -564,6 +548,7 @@ func TestConnections(t *testing.T) {
originService: runEchoWSService,
// eyeballResponseWriter gets set after roundtrip dial.
eyeballRequestBody: newPipedWSRequestBody([]byte("test3")),
warpRoutingService: ingress.NewWarpRoutingService(testWarpRouting, time.Duration(0)),
requestHeaders: map[string][]string{
"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
},
@ -616,6 +601,23 @@ func TestConnections(t *testing.T) {
headers: map[string][]string{},
},
},
{
name: "tcp-tcp proxy without warpRoutingService enabled",
args: args{
ingressServiceScheme: "tcp://",
originService: runEchoTCPService,
eyeballResponseWriter: newTCPRespWriter(replayer),
eyeballRequestBody: newTCPRequestBody([]byte("test2")),
connectionType: connection.TypeTCP,
requestHeaders: map[string][]string{
"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
},
},
want: want{
message: []byte{},
err: true,
},
},
{
name: "ws-ws proxy when origin is different",
args: args{
@ -668,6 +670,7 @@ func TestConnections(t *testing.T) {
originService: runEchoTCPService,
eyeballResponseWriter: newTCPRespWriter(replayer),
eyeballRequestBody: newTCPRequestBody([]byte("rate-limited")),
warpRoutingService: ingress.NewWarpRoutingService(testWarpRouting, time.Duration(0)),
connectionType: connection.TypeTCP,
requestHeaders: map[string][]string{
"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
@ -690,7 +693,7 @@ func TestConnections(t *testing.T) {
test.args.originService(t, ln)
ingressRule := createSingleIngressConfig(t, test.args.ingressServiceScheme+ln.Addr().String())
_ = ingressRule.StartOrigins(&log, ctx.Done())
_ = ingressRule.StartOrigins(logger, ctx.Done())
// Mock flow limiter
ctrl := gomock.NewController(t)
@ -699,7 +702,8 @@ func TestConnections(t *testing.T) {
flowLimiter.EXPECT().Acquire("tcp").AnyTimes().Return(test.args.flowLimiterResponse)
flowLimiter.EXPECT().Release().AnyTimes()
proxy := NewOriginProxy(ingressRule, originDialer, testTags, flowLimiter, &log)
proxy := NewOriginProxy(ingressRule, testWarpRouting, testTags, flowLimiter, time.Duration(0), logger)
proxy.warpRouting = test.args.warpRoutingService
dest := ln.Addr().String()
req, err := http.NewRequest(

13
quic/v3/datagram_test.go
View File

@ -1,7 +1,6 @@
package v3_test
import (
"crypto/rand"
"encoding/binary"
"errors"
"net/netip"
@ -15,16 +14,10 @@ import (
func makePayload(size int) []byte {
payload := make([]byte, size)
_, _ = rand.Read(payload)
return payload
}
func makePayloads(size int, count int) [][]byte {
payloads := make([][]byte, count)
for i := range payloads {
payloads[i] = makePayload(size)
for i := range len(payload) {
payload[i] = 0xfc
}
return payloads
return payload
}
func TestSessionRegistration_MarshalUnmarshal(t *testing.T) {

11
quic/v3/manager.go
View File

@ -2,11 +2,12 @@ package v3
import (
"errors"
"net"
"net/netip"
"sync"
"github.com/rs/zerolog"
"github.com/cloudflare/cloudflared/ingress"
"github.com/cloudflare/cloudflared/management"
cfdflow "github.com/cloudflare/cloudflared/flow"
@ -37,16 +38,18 @@ type SessionManager interface {
UnregisterSession(requestID RequestID)
}
type DialUDP func(dest netip.AddrPort) (*net.UDPConn, error)
type sessionManager struct {
sessions map[RequestID]Session
mutex sync.RWMutex
originDialer ingress.OriginUDPDialer
originDialer DialUDP
limiter cfdflow.Limiter
metrics Metrics
log *zerolog.Logger
}
func NewSessionManager(metrics Metrics, log *zerolog.Logger, originDialer ingress.OriginUDPDialer, limiter cfdflow.Limiter) SessionManager {
func NewSessionManager(metrics Metrics, log *zerolog.Logger, originDialer DialUDP, limiter cfdflow.Limiter) SessionManager {
return &sessionManager{
sessions: make(map[RequestID]Session),
originDialer: originDialer,
@ -73,7 +76,7 @@ func (s *sessionManager) RegisterSession(request *UDPSessionRegistrationDatagram
}
// Attempt to bind the UDP socket for the new session
origin, err := s.originDialer.DialUDP(request.Dest)
origin, err := s.originDialer(request.Dest)
if err != nil {
return nil, err
}

27
quic/v3/manager_test.go
View File

@ -11,7 +11,6 @@ import (
"github.com/stretchr/testify/require"
"go.uber.org/mock/gomock"
"github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/mocks"
cfdflow "github.com/cloudflare/cloudflared/flow"
@ -19,21 +18,9 @@ import (
v3 "github.com/cloudflare/cloudflared/quic/v3"
)
var (
testDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{
ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
TCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},
MaxActiveFlows: 0,
})
)
func TestRegisterSession(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
manager := v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0))
manager := v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0))
request := v3.UDPSessionRegistrationDatagram{
RequestID: testRequestID,
@ -89,11 +76,7 @@ func TestRegisterSession(t *testing.T) {
func TestGetSession_Empty(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
manager := v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0))
manager := v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0))
_, err := manager.GetSession(testRequestID)
if !errors.Is(err, v3.ErrSessionNotFound) {
@ -103,10 +86,6 @@ func TestGetSession_Empty(t *testing.T) {
func TestRegisterSessionRateLimit(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
ctrl := gomock.NewController(t)
flowLimiterMock := mocks.NewMockLimiter(ctrl)
@ -114,7 +93,7 @@ func TestRegisterSessionRateLimit(t *testing.T) {
flowLimiterMock.EXPECT().Acquire("udp").Return(cfdflow.ErrTooManyActiveFlows)
flowLimiterMock.EXPECT().Release().Times(0)
manager := v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, flowLimiterMock)
manager := v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, flowLimiterMock)
request := v3.UDPSessionRegistrationDatagram{
RequestID: testRequestID,

87
quic/v3/metrics.go
View File

@ -10,58 +10,27 @@ import (
const (
namespace = "cloudflared"
subsystem_udp = "udp"
subsystem_icmp = "icmp"
subsystem = "udp"
commandMetricLabel = "command"
reasonMetricLabel = "reason"
)
type DroppedReason int
const (
DroppedWriteFailed DroppedReason = iota
DroppedWriteDeadlineExceeded
DroppedWriteFull
DroppedWriteFlowUnknown
DroppedReadFailed
// Origin payloads that are too large to proxy.
DroppedReadTooLarge
)
var droppedReason = map[DroppedReason]string{
DroppedWriteFailed: "write_failed",
DroppedWriteDeadlineExceeded: "write_deadline_exceeded",
DroppedWriteFull: "write_full",
DroppedWriteFlowUnknown: "write_flow_unknown",
DroppedReadFailed: "read_failed",
DroppedReadTooLarge: "read_too_large",
}
func (dr DroppedReason) String() string {
return droppedReason[dr]
}
type Metrics interface {
IncrementFlows(connIndex uint8)
DecrementFlows(connIndex uint8)
FailedFlow(connIndex uint8)
PayloadTooLarge(connIndex uint8)
RetryFlowResponse(connIndex uint8)
MigrateFlow(connIndex uint8)
UnsupportedRemoteCommand(connIndex uint8, command string)
DroppedUDPDatagram(connIndex uint8, reason DroppedReason)
DroppedICMPPackets(connIndex uint8, reason DroppedReason)
}
type metrics struct {
activeUDPFlows *prometheus.GaugeVec
totalUDPFlows *prometheus.CounterVec
payloadTooLarge *prometheus.CounterVec
retryFlowResponses *prometheus.CounterVec
migratedFlows *prometheus.CounterVec
unsupportedRemoteCommands *prometheus.CounterVec
droppedUDPDatagrams *prometheus.CounterVec
droppedICMPPackets *prometheus.CounterVec
failedFlows *prometheus.CounterVec
}
func (m *metrics) IncrementFlows(connIndex uint8) {
@ -73,8 +42,8 @@ func (m *metrics) DecrementFlows(connIndex uint8) {
m.activeUDPFlows.WithLabelValues(fmt.Sprintf("%d", connIndex)).Dec()
}
func (m *metrics) FailedFlow(connIndex uint8) {
m.failedFlows.WithLabelValues(fmt.Sprintf("%d", connIndex)).Inc()
func (m *metrics) PayloadTooLarge(connIndex uint8) {
m.payloadTooLarge.WithLabelValues(fmt.Sprintf("%d", connIndex)).Inc()
}
func (m *metrics) RetryFlowResponse(connIndex uint8) {
@ -89,74 +58,52 @@ func (m *metrics) UnsupportedRemoteCommand(connIndex uint8, command string) {
m.unsupportedRemoteCommands.WithLabelValues(fmt.Sprintf("%d", connIndex), command).Inc()
}
func (m *metrics) DroppedUDPDatagram(connIndex uint8, reason DroppedReason) {
m.droppedUDPDatagrams.WithLabelValues(fmt.Sprintf("%d", connIndex), reason.String()).Inc()
}
func (m *metrics) DroppedICMPPackets(connIndex uint8, reason DroppedReason) {
m.droppedICMPPackets.WithLabelValues(fmt.Sprintf("%d", connIndex), reason.String()).Inc()
}
func NewMetrics(registerer prometheus.Registerer) Metrics {
m := &metrics{
activeUDPFlows: prometheus.NewGaugeVec(prometheus.GaugeOpts{
Namespace: namespace,
Subsystem: subsystem_udp,
Subsystem: subsystem,
Name: "active_flows",
Help: "Concurrent count of UDP flows that are being proxied to any origin",
}, []string{quic.ConnectionIndexMetricLabel}),
totalUDPFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
Namespace: namespace,
Subsystem: subsystem_udp,
Subsystem: subsystem,
Name: "total_flows",
Help: "Total count of UDP flows that have been proxied to any origin",
}, []string{quic.ConnectionIndexMetricLabel}),
failedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
payloadTooLarge: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
Namespace: namespace,
Subsystem: subsystem_udp,
Name: "failed_flows",
Help: "Total count of flows that errored and closed",
Subsystem: subsystem,
Name: "payload_too_large",
Help: "Total count of UDP flows that have had origin payloads that are too large to proxy",
}, []string{quic.ConnectionIndexMetricLabel}),
retryFlowResponses: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
Namespace: namespace,
Subsystem: subsystem_udp,
Subsystem: subsystem,
Name: "retry_flow_responses",
Help: "Total count of UDP flows that have had to send their registration response more than once",
}, []string{quic.ConnectionIndexMetricLabel}),
migratedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
Namespace: namespace,
Subsystem: subsystem_udp,
Subsystem: subsystem,
Name: "migrated_flows",
Help: "Total count of UDP flows have been migrated across local connections",
}, []string{quic.ConnectionIndexMetricLabel}),
unsupportedRemoteCommands: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
unsupportedRemoteCommands: prometheus.NewCounterVec(prometheus.CounterOpts{
Namespace: namespace,
Subsystem: subsystem_udp,
Subsystem: subsystem,
Name: "unsupported_remote_command_total",
Help: "Total count of unsupported remote RPC commands called",
Help: "Total count of unsupported remote RPC commands for the ",
}, []string{quic.ConnectionIndexMetricLabel, commandMetricLabel}),
droppedUDPDatagrams: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
Namespace: namespace,
Subsystem: subsystem_udp,
Name: "dropped_datagrams",
Help: "Total count of UDP dropped datagrams",
}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),
droppedICMPPackets: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
Namespace: namespace,
Subsystem: subsystem_icmp,
Name: "dropped_packets",
Help: "Total count of ICMP dropped datagrams",
}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),
}
registerer.MustRegister(
m.activeUDPFlows,
m.totalUDPFlows,
m.failedFlows,
m.payloadTooLarge,
m.retryFlowResponses,
m.migratedFlows,
m.unsupportedRemoteCommands,
m.droppedUDPDatagrams,
m.droppedICMPPackets,
)
return m
}

5
quic/v3/metrics_test.go
View File

@ -1,15 +1,10 @@
package v3_test
import v3 "github.com/cloudflare/cloudflared/quic/v3"
type noopMetrics struct{}
func (noopMetrics) IncrementFlows(connIndex uint8) {}
func (noopMetrics) DecrementFlows(connIndex uint8) {}
func (noopMetrics) FailedFlow(connIndex uint8) {}
func (noopMetrics) PayloadTooLarge(connIndex uint8) {}
func (noopMetrics) RetryFlowResponse(connIndex uint8) {}
func (noopMetrics) MigrateFlow(connIndex uint8) {}
func (noopMetrics) UnsupportedRemoteCommand(connIndex uint8, command string) {}
func (noopMetrics) DroppedUDPDatagram(connIndex uint8, reason v3.DroppedReason) {}
func (noopMetrics) DroppedICMPPackets(connIndex uint8, reason v3.DroppedReason) {}

77
quic/v3/muxer.go
View File

@ -17,9 +17,6 @@ const (
// Allocating a 16 channel buffer here allows for the writer to be slightly faster than the reader.
// This has worked previously well for datagramv2, so we will start with this as well
demuxChanCapacity = 16
// This provides a small buffer for the PacketRouter to poll ICMP packets from the QUIC connection
// before writing them to the origin.
icmpDatagramChanCapacity = 128
logSrcKey = "src"
logDstKey = "dst"
@ -69,7 +66,6 @@ type datagramConn struct {
metrics Metrics
logger *zerolog.Logger
datagrams chan []byte
icmpDatagramChan chan *ICMPDatagram
readErrors chan error
icmpEncoderPool sync.Pool // a pool of *packet.Encoder
@ -86,7 +82,6 @@ func NewDatagramConn(conn QuicConnection, sessionManager SessionManager, icmpRou
metrics: metrics,
logger: &log,
datagrams: make(chan []byte, demuxChanCapacity),
icmpDatagramChan: make(chan *ICMPDatagram, icmpDatagramChanCapacity),
readErrors: make(chan error, 2),
icmpEncoderPool: sync.Pool{
New: func() any {
@ -173,9 +168,6 @@ func (c *datagramConn) Serve(ctx context.Context) error {
readCtx, cancel := context.WithCancel(connCtx)
defer cancel()
go c.pollDatagrams(readCtx)
// Processing ICMP datagrams also monitors the reader context since the ICMP datagrams from the reader are the input
// for the routine.
go c.processICMPDatagrams(readCtx)
for {
// We make sure to monitor the context of cloudflared and the underlying connection to return if any errors occur.
var datagram []byte
@ -183,22 +175,23 @@ func (c *datagramConn) Serve(ctx context.Context) error {
// Monitor the context of cloudflared
case <-ctx.Done():
return ctx.Err()
// Monitor the context of the underlying quic connection
// Monitor the context of the underlying connection
case <-connCtx.Done():
return connCtx.Err()
// Monitor for any hard errors from reading the connection
case err := <-c.readErrors:
return err
// Wait and dequeue datagrams as they come in
// Otherwise, wait and dequeue datagrams as they come in
case d := <-c.datagrams:
datagram = d
}
// Each incoming datagram will be processed in a new go routine to handle the demuxing and action associated.
go func() {
typ, err := ParseDatagramType(datagram)
if err != nil {
c.logger.Err(err).Msgf("unable to parse datagram type: %d", typ)
continue
return
}
switch typ {
case UDPSessionRegistrationType:
@ -206,23 +199,20 @@ func (c *datagramConn) Serve(ctx context.Context) error {
err := reg.UnmarshalBinary(datagram)
if err != nil {
c.logger.Err(err).Msgf("unable to unmarshal session registration datagram")
continue
return
}
logger := c.logger.With().Str(logFlowID, reg.RequestID.String()).Logger()
// We bind the new session to the quic connection context instead of cloudflared context to allow for the
// quic connection to close and close only the sessions bound to it. Closing of cloudflared will also
// initiate the close of the quic connection, so we don't have to worry about the application context
// in the scope of a session.
//
// Additionally, we spin out the registration into a separate go routine to handle the Serve'ing of the
// session in a separate routine from the demuxer.
go c.handleSessionRegistrationDatagram(connCtx, reg, &logger)
c.handleSessionRegistrationDatagram(connCtx, reg, &logger)
case UDPSessionPayloadType:
payload := &UDPSessionPayloadDatagram{}
err := payload.UnmarshalBinary(datagram)
if err != nil {
c.logger.Err(err).Msgf("unable to unmarshal session payload datagram")
continue
return
}
logger := c.logger.With().Str(logFlowID, payload.RequestID.String()).Logger()
c.handleSessionPayloadDatagram(payload, &logger)
@ -231,17 +221,18 @@ func (c *datagramConn) Serve(ctx context.Context) error {
err := packet.UnmarshalBinary(datagram)
if err != nil {
c.logger.Err(err).Msgf("unable to unmarshal icmp datagram")
continue
return
}
c.handleICMPPacket(packet)
case UDPSessionRegistrationResponseType:
// cloudflared should never expect to receive UDP session responses as it will not initiate new
// sessions towards the edge.
c.logger.Error().Msgf("unexpected datagram type received: %d", UDPSessionRegistrationResponseType)
continue
return
default:
c.logger.Error().Msgf("unknown datagram type received: %d", typ)
}
}()
}
}
@ -252,21 +243,24 @@ func (c *datagramConn) handleSessionRegistrationDatagram(ctx context.Context, da
Str(logDstKey, datagram.Dest.String()).
Logger()
session, err := c.sessionManager.RegisterSession(datagram, c)
if err != nil {
switch err {
case nil:
// Continue as normal
case ErrSessionAlreadyRegistered:
// Session is already registered and likely the response got lost
c.handleSessionAlreadyRegistered(datagram.RequestID, &log)
return
case ErrSessionBoundToOtherConn:
// Session is already registered but to a different connection
c.handleSessionMigration(datagram.RequestID, &log)
return
case ErrSessionRegistrationRateLimited:
// There are too many concurrent sessions so we return an error to force a retry later
c.handleSessionRegistrationRateLimited(datagram, &log)
return
default:
log.Err(err).Msg("flow registration failure")
c.handleSessionRegistrationFailure(datagram.RequestID, &log)
}
return
}
log = log.With().Str(logSrcKey, session.LocalAddr().String()).Logger()
@ -368,54 +362,30 @@ func (c *datagramConn) handleSessionRegistrationRateLimited(datagram *UDPSession
func (c *datagramConn) handleSessionPayloadDatagram(datagram *UDPSessionPayloadDatagram, logger *zerolog.Logger) {
s, err := c.sessionManager.GetSession(datagram.RequestID)
if err != nil {
c.metrics.DroppedUDPDatagram(c.index, DroppedWriteFlowUnknown)
logger.Err(err).Msgf("unable to find flow")
return
}
s.Write(datagram.Payload)
// We ignore the bytes written to the socket because any partial write must return an error.
_, err = s.Write(datagram.Payload)
if err != nil {
logger.Err(err).Msgf("unable to write payload for the flow")
return
}
}
// Handles incoming ICMP datagrams into a serialized channel to be handled by a single consumer.
// Handles incoming ICMP datagrams.
func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
if c.icmpRouter == nil {
// ICMPRouter is disabled so we drop the current packet and ignore all incoming ICMP packets
return
}
select {
case c.icmpDatagramChan <- datagram:
default:
// If the ICMP datagram channel is full, drop any additional incoming.
c.metrics.DroppedICMPPackets(c.index, DroppedWriteFull)
c.logger.Warn().Msg("failed to write icmp packet to origin: dropped")
}
}
// Consumes from the ICMP datagram channel to write out the ICMP requests to an origin.
func (c *datagramConn) processICMPDatagrams(ctx context.Context) {
if c.icmpRouter == nil {
// ICMPRouter is disabled so we ignore all incoming ICMP packets
return
}
for {
select {
// If the provided context is closed we want to exit the write loop
case <-ctx.Done():
return
case datagram := <-c.icmpDatagramChan:
c.writeICMPPacket(datagram)
}
}
}
func (c *datagramConn) writeICMPPacket(datagram *ICMPDatagram) {
// Decode the provided ICMPDatagram as an ICMP packet
rawPacket := packet.RawPacket{Data: datagram.Payload}
cachedDecoder := c.icmpDecoderPool.Get()
defer c.icmpDecoderPool.Put(cachedDecoder)
decoder, ok := cachedDecoder.(*packet.ICMPDecoder)
if !ok {
c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
c.logger.Error().Msg("Could not get ICMPDecoder from the pool. Dropping packet")
return
}
@ -423,7 +393,6 @@ func (c *datagramConn) writeICMPPacket(datagram *ICMPDatagram) {
icmp, err := decoder.Decode(rawPacket)
if err != nil {
c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
c.logger.Err(err).Msgf("unable to marshal icmp packet")
return
}
@ -431,7 +400,6 @@ func (c *datagramConn) writeICMPPacket(datagram *ICMPDatagram) {
// If the ICMP packet's TTL is expired, we won't send it to the origin and immediately return a TTL Exceeded Message
if icmp.TTL <= 1 {
if err := c.SendICMPTTLExceed(icmp, rawPacket); err != nil {
c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
c.logger.Err(err).Msg("failed to return ICMP TTL exceed error")
}
return
@ -443,7 +411,6 @@ func (c *datagramConn) writeICMPPacket(datagram *ICMPDatagram) {
// connection context which will have no tracing information available.
err = c.icmpRouter.Request(c.conn.Context(), icmp, newPacketResponder(c, c.index))
if err != nil {
c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
c.logger.Err(err).
Str(logSrcKey, icmp.Src.String()).
Str(logDstKey, icmp.Dst.String()).

166
quic/v3/muxer_test.go
View File

@ -13,7 +13,6 @@ import (
"testing"
"time"
"github.com/fortytw2/leaktest"
"github.com/google/gopacket/layers"
"github.com/rs/zerolog"
"github.com/stretchr/testify/assert"
@ -89,11 +88,7 @@ func (m *mockEyeball) SendICMPTTLExceed(icmp *packet.ICMP, rawPacket packet.RawP
func TestDatagramConn_New(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
conn := v3.NewDatagramConn(newMockQuicConn(t.Context()), v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
conn := v3.NewDatagramConn(newMockQuicConn(), v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
if conn == nil {
t.Fatal("expected valid connection")
}
@ -101,14 +96,8 @@ func TestDatagramConn_New(t *testing.T) {
func TestDatagramConn_SendUDPSessionDatagram(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
quic := newMockQuicConn()
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
payload := []byte{0xef, 0xef}
err := conn.SendUDPSessionDatagram(payload)
@ -122,14 +111,8 @@ func TestDatagramConn_SendUDPSessionDatagram(t *testing.T) {
func TestDatagramConn_SendUDPSessionResponse(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
quic := newMockQuicConn()
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
err := conn.SendUDPSessionResponse(testRequestID, v3.ResponseDestinationUnreachable)
require.NoError(t, err)
@ -150,14 +133,8 @@ func TestDatagramConn_SendUDPSessionResponse(t *testing.T) {
func TestDatagramConnServe_ApplicationClosed(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
quic := newMockQuicConn()
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
ctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)
defer cancel()
@ -169,17 +146,11 @@ func TestDatagramConnServe_ApplicationClosed(t *testing.T) {
func TestDatagramConnServe_ConnectionClosed(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
ctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)
defer cancel()
quic.ctx = ctx
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
err := conn.Serve(t.Context())
if !errors.Is(err, context.DeadlineExceeded) {
@ -189,12 +160,8 @@ func TestDatagramConnServe_ConnectionClosed(t *testing.T) {
func TestDatagramConnServe_ReceiveDatagramError(t *testing.T) {
log := zerolog.Nop()
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: testDefaultDialer,
TCPWriteTimeout: 0,
}, &log)
quic := &mockQuicConnReadError{err: net.ErrClosed}
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, ingress.DialUDPAddrPort, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
err := conn.Serve(t.Context())
if !errors.Is(err, net.ErrClosed) {
@ -204,17 +171,15 @@ func TestDatagramConnServe_ReceiveDatagramError(t *testing.T) {
func TestDatagramConnServe_SessionRegistrationRateLimit(t *testing.T) {
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
sessionManager := &mockSessionManager{
expectedRegErr: v3.ErrSessionRegistrationRateLimited,
}
conn := v3.NewDatagramConn(quic, sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
// Setup the muxer
ctx, cancel := context.WithCancelCause(t.Context())
defer cancel(context.Canceled)
ctx, cancel := context.WithCancel(t.Context())
defer cancel()
done := make(chan error, 1)
go func() {
done <- conn.Serve(ctx)
@ -234,12 +199,9 @@ func TestDatagramConnServe_SessionRegistrationRateLimit(t *testing.T) {
require.EqualValues(t, testRequestID, resp.RequestID)
require.EqualValues(t, v3.ResponseTooManyActiveFlows, resp.ResponseType)
assertContextClosed(t, ctx, done, cancel)
}
func TestDatagramConnServe_ErrorDatagramTypes(t *testing.T) {
defer leaktest.Check(t)()
for _, test := range []struct {
name string
input []byte
@ -264,9 +226,7 @@ func TestDatagramConnServe_ErrorDatagramTypes(t *testing.T) {
t.Run(test.name, func(t *testing.T) {
logOutput := new(LockedBuffer)
log := zerolog.New(logOutput)
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
quic.send <- test.input
conn := v3.NewDatagramConn(quic, &mockSessionManager{}, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -305,11 +265,8 @@ func (b *LockedBuffer) String() string {
}
func TestDatagramConnServe_RegisterSession_SessionManagerError(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
expectedErr := errors.New("unable to register session")
sessionManager := mockSessionManager{expectedRegErr: expectedErr}
conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -343,11 +300,8 @@ func TestDatagramConnServe_RegisterSession_SessionManagerError(t *testing.T) {
}
func TestDatagramConnServe(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
session := newMockSession()
sessionManager := mockSessionManager{session: &session}
conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -394,11 +348,8 @@ func TestDatagramConnServe(t *testing.T) {
// instances causes inteference resulting in multiple different raw packets being decoded
// as the same decoded packet.
func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
session := newMockSession()
sessionManager := mockSessionManager{session: &session}
router := newMockICMPRouter()
@ -438,15 +389,11 @@ func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
wg := sync.WaitGroup{}
var receivedPackets []*packet.ICMP
go func() {
for {
select {
case <-ctx.Done():
return
case icmpPacket := <-router.recv:
for ctx.Err() == nil {
icmpPacket := <-router.recv
receivedPackets = append(receivedPackets, icmpPacket)
wg.Done()
}
}
}()
for _, p := range packets {
@ -481,11 +428,8 @@ func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
}
func TestDatagramConnServe_RegisterTwice(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
session := newMockSession()
sessionManager := mockSessionManager{session: &session}
conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -546,17 +490,12 @@ func TestDatagramConnServe_RegisterTwice(t *testing.T) {
}
func TestDatagramConnServe_MigrateConnection(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
session := newMockSession()
sessionManager := mockSessionManager{session: &session}
conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
conn2Ctx, conn2Cancel := context.WithCancelCause(t.Context())
defer conn2Cancel(context.Canceled)
quic2 := newMockQuicConn(conn2Ctx)
quic2 := newMockQuicConn()
conn2 := v3.NewDatagramConn(quic2, &sessionManager, &noopICMPRouter{}, 1, &noopMetrics{}, &log)
// Setup the muxer
@ -634,11 +573,8 @@ func TestDatagramConnServe_MigrateConnection(t *testing.T) {
}
func TestDatagramConnServe_Payload_GetSessionError(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
// mockSessionManager will return the ErrSessionNotFound for any session attempting to be queried by the muxer
sessionManager := mockSessionManager{session: nil, expectedGetErr: v3.ErrSessionNotFound}
conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -664,12 +600,9 @@ func TestDatagramConnServe_Payload_GetSessionError(t *testing.T) {
assertContextClosed(t, ctx, done, cancel)
}
func TestDatagramConnServe_Payloads(t *testing.T) {
defer leaktest.Check(t)()
func TestDatagramConnServe_Payload(t *testing.T) {
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
session := newMockSession()
sessionManager := mockSessionManager{session: &session}
conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -682,26 +615,15 @@ func TestDatagramConnServe_Payloads(t *testing.T) {
done <- conn.Serve(ctx)
}()
// Send session payloads
expectedPayloads := makePayloads(256, 16)
go func() {
for _, payload := range expectedPayloads {
datagram := newSessionPayloadDatagram(testRequestID, payload)
// Send new session registration
expectedPayload := []byte{0xef, 0xef}
datagram := newSessionPayloadDatagram(testRequestID, expectedPayload)
quic.send <- datagram
}
}()
// Session should receive the payloads (in-order)
for i, payload := range expectedPayloads {
select {
case recv := <-session.recv:
if !slices.Equal(recv, payload) {
t.Fatalf("expected session receieve the payload[%d] sent via the muxer: (%x) (%x)", i, recv[:16], payload[:16])
}
case err := <-ctx.Done():
// we expect the payload to return before the context to cancel on the session
t.Fatal(err)
}
// Session should receive the payload
payload := <-session.recv
if !slices.Equal(expectedPayload, payload) {
t.Fatalf("expected session receieve the payload sent via the muxer")
}
// Cancel the muxer Serve context and make sure it closes with the expected error
@ -709,11 +631,8 @@ func TestDatagramConnServe_Payloads(t *testing.T) {
}
func TestDatagramConnServe_ICMPDatagram_TTLDecremented(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
router := newMockICMPRouter()
conn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)
@ -758,11 +677,8 @@ func TestDatagramConnServe_ICMPDatagram_TTLDecremented(t *testing.T) {
}
func TestDatagramConnServe_ICMPDatagram_TTLExceeded(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
connCtx, connCancel := context.WithCancelCause(t.Context())
defer connCancel(context.Canceled)
quic := newMockQuicConn(connCtx)
quic := newMockQuicConn()
router := newMockICMPRouter()
conn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)
@ -881,9 +797,9 @@ type mockQuicConn struct {
recv chan []byte
}
func newMockQuicConn(ctx context.Context) *mockQuicConn {
func newMockQuicConn() *mockQuicConn {
return &mockQuicConn{
ctx: ctx,
ctx: context.Background(),
send: make(chan []byte, 1),
recv: make(chan []byte, 1),
}
@ -901,12 +817,7 @@ func (m *mockQuicConn) SendDatagram(payload []byte) error {
}
func (m *mockQuicConn) ReceiveDatagram(_ context.Context) ([]byte, error) {
select {
case <-m.ctx.Done():
return nil, m.ctx.Err()
case b := <-m.send:
return b, nil
}
return <-m.send, nil
}
type mockQuicConnReadError struct {
@ -970,10 +881,11 @@ func (m *mockSession) Serve(ctx context.Context) error {
return v3.SessionCloseErr
}
func (m *mockSession) Write(payload []byte) {
func (m *mockSession) Write(payload []byte) (n int, err error) {
b := make([]byte, len(payload))
copy(b, payload)
m.recv <- b
return len(b), nil
}
func (m *mockSession) Close() error {

127
quic/v3/session.go
View File

@ -6,7 +6,6 @@ import (
"fmt"
"io"
"net"
"os"
"sync"
"sync/atomic"
"time"
@ -23,11 +22,6 @@ const (
// this value (maxDatagramPayloadLen).
maxOriginUDPPacketSize = 1500
// The maximum amount of datagrams a session will queue up before it begins dropping datagrams.
// This channel buffer is small because we assume that the dedicated writer to the origin is typically
// fast enought to keep the channel empty.
writeChanCapacity = 512
logFlowID = "flowID"
logPacketSizeKey = "packetSize"
)
@ -55,7 +49,7 @@ func newSessionIdleErr(timeout time.Duration) error {
}
type Session interface {
io.Closer
io.WriteCloser
ID() RequestID
ConnectionID() uint8
RemoteAddr() net.Addr
@ -64,7 +58,6 @@ type Session interface {
Migrate(eyeball DatagramConn, ctx context.Context, logger *zerolog.Logger)
// Serve starts the event loop for processing UDP packets
Serve(ctx context.Context) error
Write(payload []byte)
}
type session struct {
@ -74,15 +67,9 @@ type session struct {
originAddr net.Addr
localAddr net.Addr
eyeball atomic.Pointer[DatagramConn]
writeChan chan []byte
// activeAtChan is used to communicate the last read/write time
activeAtChan chan time.Time
errChan chan error
// The close channel signal only exists for the write loop because the read loop is always waiting on a read
// from the UDP socket to the origin. To close the read loop we close the socket.
// Additionally, we can't close the writeChan to indicate that writes are complete because the producer (edge)
// side may still be trying to write to this session.
closeWrite chan struct{}
closeChan chan error
contextChan chan context.Context
metrics Metrics
log *zerolog.Logger
@ -102,12 +89,10 @@ func NewSession(
log *zerolog.Logger,
) Session {
logger := log.With().Str(logFlowID, id.String()).Logger()
writeChan := make(chan []byte, writeChanCapacity)
// errChan has three slots to allow for all writers (the closeFn, the read loop and the write loop) to
// write to the channel without blocking since there is only ever one value read from the errChan by the
// closeChan has two slots to allow for both writers (the closeFn and the Serve routine) to both be able to
// write to the channel without blocking since there is only ever one value read from the closeChan by the
// waitForCloseCondition.
errChan := make(chan error, 3)
closeWrite := make(chan struct{})
closeChan := make(chan error, 2)
session := &session{
id: id,
closeAfterIdle: closeAfterIdle,
@ -115,12 +100,10 @@ func NewSession(
originAddr: originAddr,
localAddr: localAddr,
eyeball: atomic.Pointer[DatagramConn]{},
writeChan: writeChan,
// activeAtChan has low capacity. It can be full when there are many concurrent read/write. markActive() will
// drop instead of blocking because last active time only needs to be an approximation
activeAtChan: make(chan time.Time, 1),
errChan: errChan,
closeWrite: closeWrite,
closeChan: closeChan,
// contextChan is an unbounded channel to help enforce one active migration of a session at a time.
contextChan: make(chan context.Context),
metrics: metrics,
@ -128,12 +111,9 @@ func NewSession(
closeFn: sync.OnceValue(func() error {
// We don't want to block on sending to the close channel if it is already full
select {
case errChan <- SessionCloseErr:
case closeChan <- SessionCloseErr:
default:
}
// Indicate to the write loop that the session is now closed
close(closeWrite)
// Close the socket directly to unblock the read loop and cause it to also end
return origin.Close()
}),
}
@ -174,13 +154,7 @@ func (s *session) Migrate(eyeball DatagramConn, ctx context.Context, logger *zer
}
func (s *session) Serve(ctx context.Context) error {
go s.writeLoop()
go s.readLoop()
return s.waitForCloseCondition(ctx, s.closeAfterIdle)
}
// Read datagrams from the origin and write them to the connection.
func (s *session) readLoop() {
go func() {
// QUIC implementation copies data to another buffer before returning https://github.com/quic-go/quic-go/blob/v0.24.0/session.go#L1967-L1975
// This makes it safe to share readBuffer between iterations
readBuffer := [maxOriginUDPPacketSize + DatagramPayloadHeaderLen]byte{}
@ -192,19 +166,20 @@ func (s *session) readLoop() {
// Read from the origin UDP socket
n, err := s.origin.Read(readBuffer[DatagramPayloadHeaderLen:])
if err != nil {
if isConnectionClosed(err) {
s.log.Debug().Msgf("flow (read) connection closed: %v", err)
if errors.Is(err, io.EOF) ||
errors.Is(err, io.ErrUnexpectedEOF) {
s.log.Debug().Msgf("flow (origin) connection closed: %v", err)
}
s.closeSession(err)
s.closeChan <- err
return
}
if n < 0 {
s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadFailed)
s.log.Warn().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was negative and was dropped")
continue
}
if n > maxDatagramPayloadLen {
s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadTooLarge)
connectionIndex := s.ConnectionID()
s.metrics.PayloadTooLarge(connectionIndex)
s.log.Error().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was too large and was dropped")
continue
}
@ -215,74 +190,30 @@ func (s *session) readLoop() {
// will cause back-pressure to the kernel buffer if the writes are not fast enough to the edge.
err = eyeball.SendUDPSessionDatagram(readBuffer[:DatagramPayloadHeaderLen+n])
if err != nil {
s.closeSession(err)
s.closeChan <- err
return
}
// Mark the session as active since we proxied a valid packet from the origin.
s.markActive()
}
}()
return s.waitForCloseCondition(ctx, s.closeAfterIdle)
}
func (s *session) Write(payload []byte) {
select {
case s.writeChan <- payload:
default:
s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFull)
s.log.Error().Msg("failed to write flow payload to origin: dropped")
}
}
// Read datagrams from the write channel to the origin.
func (s *session) writeLoop() {
for {
select {
case <-s.closeWrite:
// When the closeWrite channel is closed, we will no longer write to the origin and end this
// goroutine since the session is now closed.
return
case payload := <-s.writeChan:
n, err := s.origin.Write(payload)
func (s *session) Write(payload []byte) (n int, err error) {
n, err = s.origin.Write(payload)
if err != nil {
// Check if this is a write deadline exceeded to the connection
if errors.Is(err, os.ErrDeadlineExceeded) {
s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteDeadlineExceeded)
s.log.Warn().Err(err).Msg("flow (write) deadline exceeded: dropping packet")
continue
}
if isConnectionClosed(err) {
s.log.Debug().Msgf("flow (write) connection closed: %v", err)
}
s.log.Err(err).Msg("failed to write flow payload to origin")
s.closeSession(err)
// If we fail to write to the origin socket, we need to end the writer and close the session
return
s.log.Err(err).Msg("failed to write payload to flow (remote)")
return n, err
}
// Write must return a non-nil error if it returns n < len(p). https://pkg.go.dev/io#Writer
if n < len(payload) {
s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFailed)
s.log.Err(io.ErrShortWrite).Msg("failed to write the full flow payload to origin")
continue
s.log.Err(io.ErrShortWrite).Msg("failed to write the full payload to flow (remote)")
return n, io.ErrShortWrite
}
// Mark the session as active since we successfully proxied a packet to the origin.
// Mark the session as active since we proxied a packet to the origin.
s.markActive()
}
}
}
func isConnectionClosed(err error) bool {
return errors.Is(err, net.ErrClosed) || errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)
}
// Send an error to the error channel to report that an error has either happened on the tunnel or origin side of the
// proxied connection.
func (s *session) closeSession(err error) {
select {
case s.errChan <- err:
default:
// In the case that the errChan is already full, we will skip over it and return as to not block
// the caller because we should start cleaning up the session.
s.log.Warn().Msg("error channel was full")
}
return n, err
}
// ResetIdleTimer will restart the current idle timer.
@ -309,8 +240,7 @@ func (s *session) Close() error {
func (s *session) waitForCloseCondition(ctx context.Context, closeAfterIdle time.Duration) error {
connCtx := ctx
// Closing the session at the end cancels read so Serve() can return, additionally, it closes the
// closeWrite channel which indicates to the write loop to return.
// Closing the session at the end cancels read so Serve() can return
defer s.Close()
if closeAfterIdle == 0 {
// Provided that the default caller doesn't specify one
@ -330,10 +260,7 @@ func (s *session) waitForCloseCondition(ctx context.Context, closeAfterIdle time
// still be active on the existing connection.
connCtx = newContext
continue
case reason := <-s.errChan:
// Any error returned here is from the read or write loops indicating that it can no longer process datagrams
// and as such the session needs to close.
s.metrics.FailedFlow(s.ConnectionID())
case reason := <-s.closeChan:
return reason
case <-checkIdleTimer.C:
// The check idle timer will only return after an idle period since the last active

14
quic/v3/session_fuzz_test.go
View File

@ -4,24 +4,20 @@ import (
"testing"
)
// FuzzSessionWrite verifies that we don't run into any panics when writing a single variable sized payload to the origin.
// FuzzSessionWrite verifies that we don't run into any panics when writing variable sized payloads to the origin.
func FuzzSessionWrite(f *testing.F) {
f.Fuzz(func(t *testing.T, b []byte) {
// The origin transport read is bound to 1280 bytes
if len(b) > 1280 {
b = b[:1280]
}
testSessionWrite(t, [][]byte{b})
testSessionWrite(t, b)
})
}
// FuzzSessionRead verifies that we don't run into any panics when reading a single variable sized payload from the origin.
func FuzzSessionRead(f *testing.F) {
// FuzzSessionServe verifies that we don't run into any panics when reading variable sized payloads from the origin.
func FuzzSessionServe(f *testing.F) {
f.Fuzz(func(t *testing.T, b []byte) {
// The origin transport read is bound to 1280 bytes
if len(b) > 1280 {
b = b[:1280]
}
testSessionRead(t, [][]byte{b})
testSessionServe_Origin(t, b)
})
}

106
quic/v3/session_test.go
View File

@ -31,61 +31,60 @@ func TestSessionNew(t *testing.T) {
}
}
func testSessionWrite(t *testing.T, payloads [][]byte) {
func testSessionWrite(t *testing.T, payload []byte) {
log := zerolog.Nop()
origin, server := net.Pipe()
defer origin.Close()
defer server.Close()
// Start origin server reads
serverRead := make(chan []byte, len(payloads))
// Start origin server read
serverRead := make(chan []byte, 1)
go func() {
for range len(payloads) {
buf := make([]byte, 1500)
_, _ = server.Read(buf[:])
serverRead <- buf
}
close(serverRead)
read := make([]byte, 1500)
_, _ = server.Read(read[:])
serverRead <- read
}()
// Create a session
// Create session and write to origin
session := v3.NewSession(testRequestID, 5*time.Second, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)
n, err := session.Write(payload)
defer session.Close()
// Start the Serve to begin the writeLoop
ctx, cancel := context.WithCancelCause(t.Context())
defer cancel(context.Canceled)
done := make(chan error)
go func() {
done <- session.Serve(ctx)
}()
// Write the payloads to the session
for _, payload := range payloads {
session.Write(payload)
if err != nil {
t.Fatal(err)
}
if n != len(payload) {
t.Fatal("unable to write the whole payload")
}
// Read from the origin to ensure the payloads were received (in-order)
for i, payload := range payloads {
read := <-serverRead
if !slices.Equal(payload, read[:len(payload)]) {
t.Fatalf("payload[%d] provided from origin and read value are not the same (%x) and (%x)", i, payload[:16], read[:16])
t.Fatal("payload provided from origin and read value are not the same")
}
}
_, more := <-serverRead
if more {
t.Fatalf("expected the session to have all of the origin payloads received: %d", len(serverRead))
}
assertContextClosed(t, ctx, done, cancel)
}
func TestSessionWrite(t *testing.T) {
func TestSessionWrite_Max(t *testing.T) {
defer leaktest.Check(t)()
for i := range 1280 {
payloads := makePayloads(i, 16)
testSessionWrite(t, payloads)
}
payload := makePayload(1280)
testSessionWrite(t, payload)
}
func testSessionRead(t *testing.T, payloads [][]byte) {
func TestSessionWrite_Min(t *testing.T) {
defer leaktest.Check(t)()
payload := makePayload(0)
testSessionWrite(t, payload)
}
func TestSessionServe_OriginMax(t *testing.T) {
defer leaktest.Check(t)()
payload := makePayload(1280)
testSessionServe_Origin(t, payload)
}
func TestSessionServe_OriginMin(t *testing.T) {
defer leaktest.Check(t)()
payload := makePayload(0)
testSessionServe_Origin(t, payload)
}
func testSessionServe_Origin(t *testing.T, payload []byte) {
log := zerolog.Nop()
origin, server := net.Pipe()
defer origin.Close()
@ -101,15 +100,12 @@ func testSessionRead(t *testing.T, payloads [][]byte) {
done <- session.Serve(ctx)
}()
// Write from the origin server to the eyeball
go func() {
for _, payload := range payloads {
_, _ = server.Write(payload)
// Write from the origin server
_, err := server.Write(payload)
if err != nil {
t.Fatal(err)
}
}()
// Read from the eyeball to ensure the payloads were received (in-order)
for i, payload := range payloads {
select {
case data := <-eyeball.recvData:
// check received data matches provided from origin
@ -117,26 +113,24 @@ func testSessionRead(t *testing.T, payloads [][]byte) {
_ = v3.MarshalPayloadHeaderTo(testRequestID, expectedData[:])
copy(expectedData[17:], payload)
if !slices.Equal(expectedData[:v3.DatagramPayloadHeaderLen+len(payload)], data) {
t.Fatalf("expected datagram[%d] did not equal expected", i)
t.Fatal("expected datagram did not equal expected")
}
cancel(errExpectedContextCanceled)
case err := <-ctx.Done():
// we expect the payload to return before the context to cancel on the session
t.Fatal(err)
}
err = <-done
if !errors.Is(err, context.Canceled) {
t.Fatal(err)
}
assertContextClosed(t, ctx, done, cancel)
}
func TestSessionRead(t *testing.T) {
defer leaktest.Check(t)()
for i := range 1280 {
payloads := makePayloads(i, 16)
testSessionRead(t, payloads)
if !errors.Is(context.Cause(ctx), errExpectedContextCanceled) {
t.Fatal(err)
}
}
func TestSessionRead_OriginTooLarge(t *testing.T) {
func TestSessionServe_OriginTooLarge(t *testing.T) {
defer leaktest.Check(t)()
log := zerolog.Nop()
eyeball := newMockEyeball()
@ -323,8 +317,6 @@ func TestSessionServe_IdleTimeout(t *testing.T) {
closeAfterIdle := 2 * time.Second
session := v3.NewSession(testRequestID, closeAfterIdle, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)
err := session.Serve(t.Context())
// Session should idle timeout if no reads or writes occur
if !errors.Is(err, v3.SessionIdleErr{}) {
t.Fatal(err)
}

Some files were not shown because too many files have changed in this diff Show More