AUTH-1070: added SSH/protocol forwarding

2025-07-27 18:39:58 +00:00 · 2018-09-21 10:18:23 -05:00
parent 41916365b6
commit fa92441415
10 changed files with 548 additions and 90 deletions
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@@ -86,10 +86,12 @@ func login(c *cli.Context) error {
 		logger.Errorf("Please provide the url of the Access application\n")
 		return err
 	}
-	if _, err := fetchToken(c, appURL); err != nil {
+	token, err := FetchToken(appURL)
+	if err != nil {
 		logger.Errorf("Failed to fetch token: %s\n", err)
 		return err
 	}
+	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", string(token))

 	return nil
 }
@@ -115,7 +117,7 @@ func curl(c *cli.Context) error {
 			logger.Warn("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return shell.Run("curl", cmdArgs...)
 		}
-		token, err = fetchToken(c, appURL)
+		token, err = FetchToken(appURL)
 		if err != nil {
 			logger.Error("Failed to refresh token: ", err)
 			return err
--- a/cmd/cloudflared/access/token.go
+++ b/cmd/cloudflared/access/token.go
@@ -15,15 +15,13 @@ import (
 	"github.com/coreos/go-oidc/jose"
 	"github.com/coreos/go-oidc/oidc"
 	homedir "github.com/mitchellh/go-homedir"
-	cli "gopkg.in/urfave/cli.v2"
 )

 var logger = log.CreateLogger()

-// fetchToken will either load a stored token or generate a new one
-func fetchToken(c *cli.Context, appURL *url.URL) (string, error) {
+// FetchToken will either load a stored token or generate a new one
+func FetchToken(appURL *url.URL) (string, error) {
 	if token, err := getTokenIfExists(appURL); token != "" && err == nil {
-		fmt.Fprintf(os.Stdout, "You have an existing token:\n\n%s\n\n", token)
 		return token, nil
 	}

@@ -36,12 +34,11 @@ func fetchToken(c *cli.Context, appURL *url.URL) (string, error) {
 	// we want to send to the transfer service. the key is token and the value
 	// is blank (basically just the id generated in the transfer service)
 	const resourceName, key, value = "token", "token", ""
-	token, err := transfer.Run(c, appURL, resourceName, key, value, path, true)
+	token, err := transfer.Run(appURL, resourceName, key, value, path, true)
 	if err != nil {
 		return "", err
 	}

-	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", string(token))
 	return string(token), nil
 }

--- a/cmd/cloudflared/transfer/transfer.go
+++ b/cmd/cloudflared/transfer/transfer.go
@@ -16,7 +16,6 @@ import (
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/encrypter"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
 	"github.com/cloudflare/cloudflared/log"
-	cli "gopkg.in/urfave/cli.v2"
 )

 const (
@@ -32,7 +31,7 @@ var logger = log.CreateLogger()
 // The "dance" we refer to is building a HTTP request, opening that in a browser waiting for
 // the user to complete an action, while it long polls in the background waiting for an
 // action to be completed to download the resource.
-func Run(c *cli.Context, transferURL *url.URL, resourceName, key, value, path string, shouldEncrypt bool) ([]byte, error) {
+func Run(transferURL *url.URL, resourceName, key, value, path string, shouldEncrypt bool) ([]byte, error) {
 	encrypterClient, err := encrypter.New("cloudflared_priv.pem", "cloudflared_pub.pem")
 	if err != nil {
 		return nil, err
@@ -49,16 +48,10 @@ func Run(c *cli.Context, transferURL *url.URL, resourceName, key, value, path st
 		fmt.Fprintf(os.Stdout, "A browser window should have opened at the following URL:\n\n%s\n\nIf the browser failed to open, open it yourself and visit the URL above.\n", requestURL)
 	}

-	// for local debugging
-	baseURL := baseStoreURL
-	if c.IsSet("url") {
-		baseURL = c.String("url")
-	}
-
 	var resourceData []byte

 	if shouldEncrypt {
-		buf, key, err := transferRequest(baseURL + filepath.Join("transfer", encrypterClient.PublicKey()))
+		buf, key, err := transferRequest(baseStoreURL + filepath.Join("transfer", encrypterClient.PublicKey()))
 		if err != nil {
 			return nil, err
 		}
@@ -74,7 +67,7 @@ func Run(c *cli.Context, transferURL *url.URL, resourceName, key, value, path st

 		resourceData = decrypted
 	} else {
-		buf, _, err := transferRequest(baseURL + filepath.Join(encrypterClient.PublicKey()))
+		buf, _, err := transferRequest(baseStoreURL + filepath.Join(encrypterClient.PublicKey()))
 		if err != nil {
 			return nil, err
 		}
--- a/cmd/cloudflared/tunnel/carrier.go
+++ b/cmd/cloudflared/tunnel/carrier.go
@@ -0,0 +1,38 @@
+package tunnel
+
+import (
+	"net/url"
+
+	"github.com/cloudflare/cloudflared/carrier"
+	"github.com/cloudflare/cloudflared/validation"
+	"github.com/pkg/errors"
+	cli "gopkg.in/urfave/cli.v2"
+)
+
+// ssh will start a WS proxy server for server mode
+// or copy from stdin/stdout for client mode
+// useful for proxying other protocols (like ssh) over websockets
+// (which you can put Access in front of)
+func ssh(c *cli.Context) error {
+	hostname, err := validation.ValidateHostname(c.String("hostname"))
+	if err != nil {
+		logger.WithError(err).Error("Invalid hostname")
+		return errors.Wrap(err, "invalid hostname")
+	}
+
+	if c.NArg() > 0 || c.IsSet("url") {
+		localForwarder, err := validateUrl(c)
+		if err != nil {
+			logger.WithError(err).Error("Error validating origin URL")
+			return errors.Wrap(err, "error validating origin URL")
+		}
+		forwarder, err := url.Parse(localForwarder)
+		if err != nil {
+			logger.WithError(err).Error("Error validating origin URL")
+			return errors.Wrap(err, "error validating origin URL")
+		}
+		return carrier.StartServer(logger, forwarder.Host, "https://"+hostname, shutdownC)
+	}
+
+	return carrier.StartClient(logger, "https://"+hostname, &carrier.StdinoutStream{})
+}
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@@ -3,6 +3,7 @@ package tunnel
 import (
 	"fmt"
 	"io/ioutil"
+	"net"
 	"os"
 	"runtime/trace"
 	"sync"
@@ -19,6 +20,7 @@ import (
 	"github.com/cloudflare/cloudflared/metrics"
 	"github.com/cloudflare/cloudflared/origin"
 	"github.com/cloudflare/cloudflared/tunneldns"
+	"github.com/cloudflare/cloudflared/websocket"
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/pkg/errors"
@@ -137,6 +139,21 @@ func Commands() []*cli.Command {
 			},
 			Hidden: true,
 		},
+		{
+			Name:        "ssh",
+			Action:      ssh,
+			Usage:       `ssh -o ProxyCommand="cloudflared tunnel ssh --hostname %h" ssh.warptunnels.org`,
+			ArgsUsage:   "[origin-url]",
+			Description: `The ssh subcommand wraps sends data over a WebSocket proxy to the Cloudflare edge.`,
+			Flags: []cli.Flag{
+				&cli.StringFlag{
+					Name: "hostname",
+				},
+				&cli.StringFlag{
+					Name: "url",
+				},
+			},
+		},
 	}

 	var subcommands []*cli.Command
@@ -308,6 +325,20 @@ func StartServer(c *cli.Context, version string, shutdownC, graceShutdownC chan
 		c.Set("url", "https://"+helloListener.Addr().String())
 	}

+	if c.IsSet("ws-proxy-server") {
+		listener, err := net.Listen("tcp", "127.0.0.1:")
+		if err != nil {
+			logger.WithError(err).Error("Cannot start Websocket Proxy Server")
+			return errors.Wrap(err, "Cannot start Websocket Proxy Server")
+		}
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			errC <- websocket.StartProxyServer(logger, listener, c.String("remote"), shutdownC)
+		}()
+		c.Set("url", "http://"+listener.Addr().String())
+	}
+
 	tunnelConfig, err := prepareTunnelConfig(c, buildInfo, version, logger, protoLogger)
 	if err != nil {
 		return err
@@ -447,6 +478,13 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			EnvVars: []string{"TUNNEL_URL"},
 			Hidden:  shouldHide,
 		}),
+		altsrc.NewStringFlag(&cli.StringFlag{
+			Name:    "remote",
+			Value:   "localhost:22",
+			Usage:   "Connect to the local server over tcp at `remote`.",
+			EnvVars: []string{"TUNNEL_REMOTE"},
+			Hidden:  shouldHide,
+		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "hostname",
 			Usage:   "Set a hostname on a Cloudflare zone to route traffic through this tunnel.",
@@ -549,6 +587,13 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			EnvVars: []string{"TUNNEL_HELLO_WORLD"},
 			Hidden:  shouldHide,
 		}),
+		altsrc.NewBoolFlag(&cli.BoolFlag{
+			Name:    "ws-proxy-server",
+			Value:   false,
+			Usage:   "Run WS proxy Server",
+			EnvVars: []string{"TUNNEL_WS_PROXY"},
+			Hidden:  shouldHide,
+		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "pidfile",
 			Usage:   "Write the application's PID to this file after first successful connection.",
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@@ -33,7 +33,7 @@ func login(c *cli.Context) error {
 		return err
 	}

-	_, err = transfer.Run(c, loginURL, "cert", "callback", callbackStoreURL, path, false)
+	_, err = transfer.Run(loginURL, "cert", "callback", callbackStoreURL, path, false)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path)
 		return err