mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-05-11 04:36:34 +00:00
206523344f
To use cloudflared as a socks proxy, add an ingress on the server
side with your desired rules. Rules are matched in the order they
are added. If there are no rules, it is an implicit allow. If
there are rules, but no rule matches match, the connection is denied.
ingress:
- hostname: socks.example.com
service: socks-proxy
originRequest:
ipRules:
- prefix: 1.1.1.1/24
ports: [80, 443]
allow: true
- prefix: 0.0.0.0/0
allow: false
On the client, run using tcp mode:
cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080
Set your socks proxy as 127.0.0.1:8080 and you will now be proxying
all connections to the remote machine.
83 lines
3.0 KiB
Go
83 lines
3.0 KiB
Go
package socks
|
|
|
|
import (
|
|
"bytes"
|
|
"testing"
|
|
|
|
"github.com/cloudflare/cloudflared/ipaccess"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestUnsupportedBind(t *testing.T) {
|
|
req := createRequest(t, socks5Version, bindCommand, "2001:db8::68", 1337, false)
|
|
var b bytes.Buffer
|
|
|
|
requestHandler := NewRequestHandler(NewNetDialer(), nil)
|
|
err := requestHandler.Handle(req, &b)
|
|
assert.NoError(t, err)
|
|
assert.True(t, b.Bytes()[1] == commandNotSupported, "expected a response")
|
|
}
|
|
|
|
func TestUnsupportedAssociate(t *testing.T) {
|
|
req := createRequest(t, socks5Version, associateCommand, "127.0.0.1", 1337, false)
|
|
var b bytes.Buffer
|
|
|
|
requestHandler := NewRequestHandler(NewNetDialer(), nil)
|
|
err := requestHandler.Handle(req, &b)
|
|
assert.NoError(t, err)
|
|
assert.True(t, b.Bytes()[1] == commandNotSupported, "expected a response")
|
|
}
|
|
|
|
func TestHandleConnect(t *testing.T) {
|
|
req := createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
var b bytes.Buffer
|
|
|
|
requestHandler := NewRequestHandler(NewNetDialer(), nil)
|
|
err := requestHandler.Handle(req, &b)
|
|
assert.Error(t, err)
|
|
assert.True(t, b.Bytes()[1] == connectionRefused, "expected a response")
|
|
}
|
|
|
|
func TestHandleConnectIPAccess(t *testing.T) {
|
|
prefix := "127.0.0.0/24"
|
|
rule1, _ := ipaccess.NewRuleByCIDR(&prefix, []int{1337}, true)
|
|
rule2, _ := ipaccess.NewRuleByCIDR(&prefix, []int{1338}, false)
|
|
rules := []ipaccess.Rule{rule1, rule2}
|
|
var b bytes.Buffer
|
|
|
|
accessPolicy, _ := ipaccess.NewPolicy(false, nil)
|
|
requestHandler := NewRequestHandler(NewNetDialer(), accessPolicy)
|
|
req := createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
err := requestHandler.Handle(req, &b)
|
|
assert.Error(t, err)
|
|
assert.True(t, b.Bytes()[1] == ruleFailure, "expected to be denied as no rules and defaultAllow=false")
|
|
|
|
b.Reset()
|
|
accessPolicy, _ = ipaccess.NewPolicy(true, nil)
|
|
requestHandler = NewRequestHandler(NewNetDialer(), accessPolicy)
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
err = requestHandler.Handle(req, &b)
|
|
assert.Error(t, err)
|
|
assert.True(t, b.Bytes()[1] == connectionRefused, "expected to be allowed as no rules and defaultAllow=true")
|
|
|
|
b.Reset()
|
|
accessPolicy, _ = ipaccess.NewPolicy(false, rules)
|
|
requestHandler = NewRequestHandler(NewNetDialer(), accessPolicy)
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
err = requestHandler.Handle(req, &b)
|
|
assert.Error(t, err)
|
|
assert.True(t, b.Bytes()[1] == connectionRefused, "expected to be allowed as matching rule")
|
|
|
|
b.Reset()
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1338, false)
|
|
err = requestHandler.Handle(req, &b)
|
|
assert.Error(t, err)
|
|
assert.True(t, b.Bytes()[1] == ruleFailure, "expected to be denied as matching rule")
|
|
|
|
b.Reset()
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1339, false)
|
|
err = requestHandler.Handle(req, &b)
|
|
assert.Error(t, err)
|
|
assert.True(t, b.Bytes()[1] == ruleFailure, "expect to be denied as no matching rule and defaultAllow=false")
|
|
}
|