mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-07-27 16:39:58 +00:00
TUN-2640: Users can configure per-origin config. Unify single-rule CLI
flow with multi-rule config file code.
This commit is contained in:
Adam Chalmers
@@ -1,14 +1,24 @@
|
||||
package ingress
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
|
||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
||||
"github.com/cloudflare/cloudflared/logger"
|
||||
"github.com/cloudflare/cloudflared/tlsconfig"
|
||||
"github.com/cloudflare/cloudflared/validation"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -18,54 +28,93 @@ var (
|
||||
ErrURLIncompatibleWithIngress = errors.New("You can't set the --url flag (or $TUNNEL_URL) when using multiple-origin ingress rules")
|
||||
)
|
||||
|
||||
// Each rule route traffic from a hostname/path on the public
|
||||
// internet to the service running on the given URL.
|
||||
type Rule struct {
|
||||
// Requests for this hostname will be proxied to this rule's service.
|
||||
Hostname string
|
||||
// Finalize the rules by adding missing struct fields and validating each origin.
|
||||
func (ing *Ingress) setHTTPTransport(logger logger.Service) error {
|
||||
for ruleNumber, rule := range ing.Rules {
|
||||
cfg := rule.Config
|
||||
originCertPool, err := tlsconfig.LoadOriginCA(cfg.CAPool, nil)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "Error loading cert pool")
|
||||
}
|
||||
|
||||
// Path is an optional regex that can specify path-driven ingress rules.
|
||||
Path *regexp.Regexp
|
||||
httpTransport := &http.Transport{
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
MaxIdleConns: cfg.KeepAliveConnections,
|
||||
MaxIdleConnsPerHost: cfg.KeepAliveConnections,
|
||||
IdleConnTimeout: cfg.KeepAliveTimeout,
|
||||
TLSHandshakeTimeout: cfg.TLSTimeout,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
TLSClientConfig: &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: cfg.NoTLSVerify},
|
||||
}
|
||||
if _, isHelloWorld := rule.Service.(*HelloWorld); !isHelloWorld && cfg.OriginServerName != "" {
|
||||
httpTransport.TLSClientConfig.ServerName = cfg.OriginServerName
|
||||
}
|
||||
|
||||
// A (probably local) address. Requests for a hostname which matches this
|
||||
// rule's hostname pattern will be proxied to the service running on this
|
||||
// address.
|
||||
Service *url.URL
|
||||
}
|
||||
dialer := &net.Dialer{
|
||||
Timeout: cfg.ConnectTimeout,
|
||||
KeepAlive: cfg.TCPKeepAlive,
|
||||
}
|
||||
if cfg.NoHappyEyeballs {
|
||||
dialer.FallbackDelay = -1 // As of Golang 1.12, a negative delay disables "happy eyeballs"
|
||||
}
|
||||
|
||||
func (r Rule) MultiLineString() string {
|
||||
var out strings.Builder
|
||||
if r.Hostname != "" {
|
||||
out.WriteString("\thostname: ")
|
||||
out.WriteString(r.Hostname)
|
||||
out.WriteRune('\n')
|
||||
// DialContext depends on which kind of origin is being used.
|
||||
dialContext := dialer.DialContext
|
||||
switch service := rule.Service.(type) {
|
||||
|
||||
// If this origin is a unix socket, enforce network type "unix".
|
||||
case UnixSocketPath:
|
||||
httpTransport.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
|
||||
return dialContext(ctx, "unix", service.Address())
|
||||
}
|
||||
// Otherwise, use the regular network config.
|
||||
default:
|
||||
httpTransport.DialContext = dialContext
|
||||
}
|
||||
|
||||
ing.Rules[ruleNumber].HTTPTransport = httpTransport
|
||||
ing.Rules[ruleNumber].ClientTLSConfig = httpTransport.TLSClientConfig
|
||||
}
|
||||
if r.Path != nil {
|
||||
out.WriteString("\tpath: ")
|
||||
out.WriteString(r.Path.String())
|
||||
out.WriteRune('\n')
|
||||
}
|
||||
out.WriteString("\tservice: ")
|
||||
out.WriteString(r.Service.String())
|
||||
return out.String()
|
||||
}
|
||||
|
||||
func (r *Rule) Matches(hostname, path string) bool {
|
||||
hostMatch := r.Hostname == "" || r.Hostname == "*" || matchHost(r.Hostname, hostname)
|
||||
pathMatch := r.Path == nil || r.Path.MatchString(path)
|
||||
return hostMatch && pathMatch
|
||||
// Validate each origin
|
||||
for _, rule := range ing.Rules {
|
||||
// If tunnel running in bastion mode, a connection to origin will not exist until initiated by the client.
|
||||
if rule.Config.BastionMode {
|
||||
continue
|
||||
}
|
||||
|
||||
// Unix sockets don't have validation
|
||||
if _, ok := rule.Service.(UnixSocketPath); ok {
|
||||
continue
|
||||
}
|
||||
switch service := rule.Service.(type) {
|
||||
|
||||
case UnixSocketPath:
|
||||
continue
|
||||
|
||||
case *HelloWorld:
|
||||
continue
|
||||
|
||||
default:
|
||||
if err := validation.ValidateHTTPService(service.Address(), rule.Hostname, rule.HTTPTransport); err != nil {
|
||||
logger.Errorf("unable to connect to the origin: %s", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// FindMatchingRule returns the index of the Ingress Rule which matches the given
|
||||
// hostname and path. This function assumes the last rule matches everything,
|
||||
// which is the case if the rules were instantiated via the ingress#Validate method
|
||||
func (ing Ingress) FindMatchingRule(hostname, path string) int {
|
||||
func (ing Ingress) FindMatchingRule(hostname, path string) (*Rule, int) {
|
||||
for i, rule := range ing.Rules {
|
||||
if rule.Matches(hostname, path) {
|
||||
return i
|
||||
return &rule, i
|
||||
}
|
||||
}
|
||||
return len(ing.Rules) - 1
|
||||
i := len(ing.Rules) - 1
|
||||
return &ing.Rules[i], i
|
||||
}
|
||||
|
||||
func matchHost(ruleHost, reqHost string) bool {
|
||||
@@ -83,7 +132,56 @@ func matchHost(ruleHost, reqHost string) bool {
|
||||
|
||||
// Ingress maps eyeball requests to origins.
|
||||
type Ingress struct {
|
||||
Rules []Rule
|
||||
Rules []Rule
|
||||
defaults OriginRequestConfig
|
||||
}
|
||||
|
||||
// NewSingleOrigin constructs an Ingress set with only one rule, constructed from
|
||||
// legacy CLI parameters like --url or --no-chunked-encoding.
|
||||
func NewSingleOrigin(c *cli.Context, compatibilityMode bool, logger logger.Service) (Ingress, error) {
|
||||
|
||||
service, err := parseSingleOriginService(c, compatibilityMode)
|
||||
if err != nil {
|
||||
return Ingress{}, err
|
||||
}
|
||||
|
||||
// Construct an Ingress with the single rule.
|
||||
ing := Ingress{
|
||||
Rules: []Rule{
|
||||
{
|
||||
Service: service,
|
||||
},
|
||||
},
|
||||
defaults: originRequestFromSingeRule(c),
|
||||
}
|
||||
err = ing.setHTTPTransport(logger)
|
||||
return ing, err
|
||||
}
|
||||
|
||||
// Get a single origin service from the CLI/config.
|
||||
func parseSingleOriginService(c *cli.Context, compatibilityMode bool) (OriginService, error) {
|
||||
if c.IsSet("hello-world") {
|
||||
return new(HelloWorld), nil
|
||||
}
|
||||
if c.IsSet("url") {
|
||||
originURLStr, err := config.ValidateUrl(c, compatibilityMode)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "Error validating origin URL")
|
||||
}
|
||||
originURL, err := url.Parse(originURLStr)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "couldn't parse origin URL")
|
||||
}
|
||||
return &URL{URL: originURL, RootURL: originURL}, nil
|
||||
}
|
||||
if c.IsSet("unix-socket") {
|
||||
unixSocket, err := config.ValidateUnixSocket(c)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "Error validating --unix-socket")
|
||||
}
|
||||
return UnixSocketPath(unixSocket), nil
|
||||
}
|
||||
return nil, errors.New("You must either set ingress rules in your config file, or use --url or use --unix-socket")
|
||||
}
|
||||
|
||||
// IsEmpty checks if there are any ingress rules.
|
||||
@@ -91,19 +189,47 @@ func (ing Ingress) IsEmpty() bool {
|
||||
return len(ing.Rules) == 0
|
||||
}
|
||||
|
||||
func validate(ingress []config.UnvalidatedIngressRule) (Ingress, error) {
|
||||
// StartOrigins will start any origin services managed by cloudflared, e.g. proxy servers or Hello World.
|
||||
func (ing Ingress) StartOrigins(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error) error {
|
||||
for _, rule := range ing.Rules {
|
||||
if err := rule.Service.Start(wg, log, shutdownC, errC, rule.Config); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CatchAll returns the catch-all rule (i.e. the last rule)
|
||||
func (ing Ingress) CatchAll() *Rule {
|
||||
return &ing.Rules[len(ing.Rules)-1]
|
||||
}
|
||||
|
||||
func validate(ingress []config.UnvalidatedIngressRule, defaults OriginRequestConfig) (Ingress, error) {
|
||||
rules := make([]Rule, len(ingress))
|
||||
for i, r := range ingress {
|
||||
service, err := url.Parse(r.Service)
|
||||
if err != nil {
|
||||
return Ingress{}, err
|
||||
}
|
||||
if service.Scheme == "" || service.Hostname() == "" {
|
||||
return Ingress{}, fmt.Errorf("The service %s must have a scheme and a hostname", r.Service)
|
||||
}
|
||||
var service OriginService
|
||||
|
||||
if service.Path != "" {
|
||||
return Ingress{}, fmt.Errorf("%s is an invalid address, ingress rules don't support proxying to a different path on the origin service. The path will be the same as the eyeball request's path.", r.Service)
|
||||
if strings.HasPrefix(r.Service, "unix:") {
|
||||
// No validation necessary for unix socket filepath services
|
||||
service = UnixSocketPath(strings.TrimPrefix(r.Service, "unix:"))
|
||||
} else if r.Service == "hello_world" || r.Service == "hello-world" || r.Service == "helloworld" {
|
||||
service = new(HelloWorld)
|
||||
} else {
|
||||
// Validate URL services
|
||||
u, err := url.Parse(r.Service)
|
||||
if err != nil {
|
||||
return Ingress{}, err
|
||||
}
|
||||
|
||||
if u.Scheme == "" || u.Hostname() == "" {
|
||||
return Ingress{}, fmt.Errorf("The service %s must have a scheme and a hostname", r.Service)
|
||||
}
|
||||
|
||||
if u.Path != "" {
|
||||
return Ingress{}, fmt.Errorf("%s is an invalid address, ingress rules don't support proxying to a different path on the origin service. The path will be the same as the eyeball request's path", r.Service)
|
||||
}
|
||||
serviceURL := URL{URL: u}
|
||||
service = &serviceURL
|
||||
}
|
||||
|
||||
// Ensure that there are no wildcards anywhere except the first character
|
||||
@@ -125,6 +251,7 @@ func validate(ingress []config.UnvalidatedIngressRule) (Ingress, error) {
|
||||
|
||||
var pathRegex *regexp.Regexp
|
||||
if r.Path != "" {
|
||||
var err error
|
||||
pathRegex, err = regexp.Compile(r.Path)
|
||||
if err != nil {
|
||||
return Ingress{}, errors.Wrapf(err, "Rule #%d has an invalid regex", i+1)
|
||||
@@ -135,9 +262,10 @@ func validate(ingress []config.UnvalidatedIngressRule) (Ingress, error) {
|
||||
Hostname: r.Hostname,
|
||||
Service: service,
|
||||
Path: pathRegex,
|
||||
Config: SetConfig(defaults, r.OriginRequest),
|
||||
}
|
||||
}
|
||||
return Ingress{Rules: rules}, nil
|
||||
return Ingress{Rules: rules, defaults: defaults}, nil
|
||||
}
|
||||
|
||||
type errRuleShouldNotBeCatchAll struct {
|
||||
@@ -151,9 +279,20 @@ func (e errRuleShouldNotBeCatchAll) Error() string {
|
||||
"will never be triggered.", e.i+1, e.hostname)
|
||||
}
|
||||
|
||||
func ParseIngress(conf *config.Configuration) (Ingress, error) {
|
||||
// ParseIngress parses, validates and initializes HTTP transports to each origin.
|
||||
func ParseIngress(conf *config.Configuration, logger logger.Service) (Ingress, error) {
|
||||
ing, err := ParseIngressDryRun(conf)
|
||||
if err != nil {
|
||||
return Ingress{}, err
|
||||
}
|
||||
err = ing.setHTTPTransport(logger)
|
||||
return ing, err
|
||||
}
|
||||
|
||||
// ParseIngressDryRun parses ingress rules, but does not send HTTP requests to the origins.
|
||||
func ParseIngressDryRun(conf *config.Configuration) (Ingress, error) {
|
||||
if len(conf.Ingress) == 0 {
|
||||
return Ingress{}, ErrNoIngressRules
|
||||
}
|
||||
return validate(conf.Ingress)
|
||||
return validate(conf.Ingress, OriginRequestFromYAML(conf.OriginRequest))
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user