TUN-1893: Proxy requests to the origin based on tunnel hostname

2025-07-27 15:49:58 +00:00 · 2019-06-05 10:08:55 -05:00
parent ca619a97bc
commit d26a8c5d44
11 changed files with 431 additions and 82 deletions
--- a/streamhandler/request.go
+++ b/streamhandler/request.go
@@ -0,0 +1,69 @@
+package streamhandler
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+
+	"github.com/cloudflare/cloudflared/h2mux"
+	"github.com/pkg/errors"
+)
+
+const (
+	lbProbeUserAgentPrefix = "Mozilla/5.0 (compatible; Cloudflare-Traffic-Manager/1.0; +https://www.cloudflare.com/traffic-manager/;"
+)
+
+func FindCfRayHeader(h1 *http.Request) string {
+	return h1.Header.Get("Cf-Ray")
+}
+
+func IsLBProbeRequest(req *http.Request) bool {
+	return strings.HasPrefix(req.UserAgent(), lbProbeUserAgentPrefix)
+}
+
+func CreateRequest(stream *h2mux.MuxedStream, originAddr string) (*http.Request, error) {
+	req, err := http.NewRequest(http.MethodGet, originAddr, h2mux.MuxedStreamReader{MuxedStream: stream})
+	if err != nil {
+		return nil, errors.Wrap(err, "unexpected error from http.NewRequest")
+	}
+	err = H2RequestHeadersToH1Request(stream.Headers, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "invalid request received")
+	}
+	return req, nil
+}
+
+func H2RequestHeadersToH1Request(h2 []h2mux.Header, h1 *http.Request) error {
+	for _, header := range h2 {
+		switch header.Name {
+		case ":method":
+			h1.Method = header.Value
+		case ":scheme":
+		case ":authority":
+			// Otherwise the host header will be based on the origin URL
+			h1.Host = header.Value
+		case ":path":
+			u, err := url.Parse(header.Value)
+			if err != nil {
+				return fmt.Errorf("unparseable path")
+			}
+			resolved := h1.URL.ResolveReference(u)
+			// prevent escaping base URL
+			if !strings.HasPrefix(resolved.String(), h1.URL.String()) {
+				return fmt.Errorf("invalid path")
+			}
+			h1.URL = resolved
+		case "content-length":
+			contentLength, err := strconv.ParseInt(header.Value, 10, 64)
+			if err != nil {
+				return fmt.Errorf("unparseable content length")
+			}
+			h1.ContentLength = contentLength
+		default:
+			h1.Header.Add(http.CanonicalHeaderKey(header.Name), header.Value)
+		}
+	}
+	return nil
+}
--- a/streamhandler/stream_handler.go
+++ b/streamhandler/stream_handler.go
@@ -0,0 +1,91 @@
+package streamhandler
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/cloudflare/cloudflared/h2mux"
+	"github.com/cloudflare/cloudflared/tunnelhostnamemapper"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/sirupsen/logrus"
+)
+
+// StreamHandler handles new stream opened by the edge. The streams can be used to proxy requests or make RPC.
+type StreamHandler struct {
+	// newConfigChan is a send-only channel to notify Supervisor of a new ClientConfig
+	newConfigChan chan<- *pogs.ClientConfig
+	// useConfigResultChan is a receive-only channel for Supervisor to communicate the result of applying a new ClientConfig
+	useConfigResultChan <-chan *pogs.UseConfigurationResult
+	// originMapper maps tunnel hostname to origin service
+	tunnelHostnameMapper *tunnelhostnamemapper.TunnelHostnameMapper
+	logger               *logrus.Entry
+}
+
+// NewStreamHandler creates a new StreamHandler
+func NewStreamHandler(newConfigChan chan<- *pogs.ClientConfig,
+	useConfigResultChan <-chan *pogs.UseConfigurationResult,
+	logger *logrus.Logger,
+) *StreamHandler {
+	return &StreamHandler{
+		newConfigChan:        newConfigChan,
+		useConfigResultChan:  useConfigResultChan,
+		tunnelHostnameMapper: tunnelhostnamemapper.NewTunnelHostnameMapper(),
+		logger:               logger.WithField("subsystem", "streamHandler"),
+	}
+}
+
+// ServeStream implements MuxedStreamHandler interface
+func (s *StreamHandler) ServeStream(stream *h2mux.MuxedStream) error {
+	if stream.IsRPCStream() {
+		return fmt.Errorf("serveRPC not implemented")
+	}
+	return s.serveRequest(stream)
+}
+
+func (s *StreamHandler) serveRequest(stream *h2mux.MuxedStream) error {
+	tunnelHostname := stream.TunnelHostname()
+	if !tunnelHostname.IsSet() {
+		err := fmt.Errorf("stream doesn't have tunnelHostname")
+		s.logger.Error(err)
+		return err
+	}
+
+	originService, ok := s.tunnelHostnameMapper.Get(tunnelHostname)
+	if !ok {
+		err := fmt.Errorf("cannot map tunnel hostname %s to origin", tunnelHostname)
+		s.logger.Error(err)
+		return err
+	}
+
+	req, err := CreateRequest(stream, originService.OriginAddr())
+	if err != nil {
+		return err
+	}
+
+	logger := s.requestLogger(req, tunnelHostname)
+	logger.Debugf("Request Headers %+v", req.Header)
+
+	resp, err := originService.Proxy(stream, req)
+	if err != nil {
+		logger.WithError(err).Error("Request error")
+		return err
+	}
+
+	logger.WithField("status", resp.Status).Debugf("Response Headers %+v", resp.Header)
+	return nil
+}
+
+func (s *StreamHandler) requestLogger(req *http.Request, tunnelHostname h2mux.TunnelHostname) *logrus.Entry {
+	cfRay := FindCfRayHeader(req)
+	lbProbe := IsLBProbeRequest(req)
+	logger := s.logger.WithField("tunnelHostname", tunnelHostname)
+	if cfRay != "" {
+		logger = logger.WithField("CF-RAY", cfRay)
+		logger.Debugf("%s %s %s", req.Method, req.URL, req.Proto)
+	} else if lbProbe {
+		logger.Debugf("Load Balancer health check %s %s %s", req.Method, req.URL, req.Proto)
+	} else {
+		logger.Warnf("Requests %v does not have CF-RAY header. Please open a support ticket with Cloudflare.", req)
+	}
+	return logger
+}