mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-05-10 23:16:34 +00:00
206523344f
To use cloudflared as a socks proxy, add an ingress on the server
side with your desired rules. Rules are matched in the order they
are added. If there are no rules, it is an implicit allow. If
there are rules, but no rule matches match, the connection is denied.
ingress:
- hostname: socks.example.com
service: socks-proxy
originRequest:
ipRules:
- prefix: 1.1.1.1/24
ports: [80, 443]
allow: true
- prefix: 0.0.0.0/0
allow: false
On the client, run using tcp mode:
cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080
Set your socks proxy as 127.0.0.1:8080 and you will now be proxying
all connections to the remote machine.
108 lines
3.4 KiB
Go
108 lines
3.4 KiB
Go
package ipaccess
|
|
|
|
import (
|
|
"bytes"
|
|
"net"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestRuleCreation(t *testing.T) {
|
|
_, ipnet, _ := net.ParseCIDR("1.1.1.1/24")
|
|
|
|
_, err := NewRule(nil, []int{80}, false)
|
|
assert.Error(t, err, "expected error as no ipnet provided")
|
|
|
|
_, err = NewRule(ipnet, []int{65536, 80}, false)
|
|
assert.Error(t, err, "expected error as port higher than 65535")
|
|
|
|
_, err = NewRule(ipnet, []int{80, -1}, false)
|
|
assert.Error(t, err, "expected error as port less than 0")
|
|
|
|
rule, err := NewRule(ipnet, []int{443, 80}, false)
|
|
assert.NoError(t, err)
|
|
assert.True(t, ipnet.IP.Equal(rule.ipNet.IP) && bytes.Compare(ipnet.Mask, rule.ipNet.Mask) == 0, "ipnet expected to be %+v, got: %+v", ipnet, rule.ipNet)
|
|
assert.True(t, len(rule.ports) == 2 && rule.ports[0] == 80 && rule.ports[1] == 443, "expected ports to be sorted")
|
|
}
|
|
|
|
func TestRuleCreationByCIDR(t *testing.T) {
|
|
var cidr *string
|
|
_, err := NewRuleByCIDR(cidr, []int{80}, false)
|
|
assert.Error(t, err, "expected error as cidr is nil")
|
|
|
|
badCidr := "1.1.1.1"
|
|
cidr = &badCidr
|
|
_, err = NewRuleByCIDR(cidr, []int{80}, false)
|
|
assert.Error(t, err, "expected error as the cidr is bad")
|
|
|
|
goodCidr := "1.1.1.1/24"
|
|
_, ipnet, _ := net.ParseCIDR("1.1.1.0/24")
|
|
cidr = &goodCidr
|
|
rule, err := NewRuleByCIDR(cidr, []int{80}, false)
|
|
assert.NoError(t, err)
|
|
assert.True(t, ipnet.IP.Equal(rule.ipNet.IP) && bytes.Compare(ipnet.Mask, rule.ipNet.Mask) == 0, "ipnet expected to be %+v, got: %+v", ipnet, rule.ipNet)
|
|
}
|
|
|
|
func TestRulesNoRules(t *testing.T) {
|
|
ip, _, _ := net.ParseCIDR("1.2.3.4/24")
|
|
|
|
policy, _ := NewPolicy(true, []Rule{})
|
|
|
|
allowed, rule := policy.Allowed(ip, 80)
|
|
assert.True(t, allowed, "expected to be allowed as no rules and default allow")
|
|
assert.Nil(t, rule, "expected to be nil as no rules")
|
|
|
|
policy, _ = NewPolicy(false, []Rule{})
|
|
|
|
allowed, rule = policy.Allowed(ip, 80)
|
|
assert.False(t, allowed, "expected to be denied as no rules and default deny")
|
|
assert.Nil(t, rule, "expected to be nil as no rules")
|
|
}
|
|
|
|
func TestRulesMatchIPAndPort(t *testing.T) {
|
|
ip1, ipnet1, _ := net.ParseCIDR("1.2.3.4/24")
|
|
ip2, _, _ := net.ParseCIDR("2.3.4.5/24")
|
|
|
|
rule1, _ := NewRule(ipnet1, []int{80, 443}, true)
|
|
rules := []Rule{
|
|
rule1,
|
|
}
|
|
|
|
policy, _ := NewPolicy(false, rules)
|
|
|
|
allowed, rule := policy.Allowed(ip1, 80)
|
|
assert.True(t, allowed, "expected to be allowed as matching rule")
|
|
assert.True(t, rule.ipNet == ipnet1, "expected to match ipnet1")
|
|
|
|
allowed, rule = policy.Allowed(ip2, 80)
|
|
assert.False(t, allowed, "expected to be denied as no matching rule")
|
|
assert.Nil(t, rule, "expected to be nil")
|
|
}
|
|
|
|
func TestRulesMatchIPAndPort2(t *testing.T) {
|
|
ip1, ipnet1, _ := net.ParseCIDR("1.2.3.4/24")
|
|
ip2, ipnet2, _ := net.ParseCIDR("2.3.4.5/24")
|
|
|
|
rule1, _ := NewRule(ipnet1, []int{53, 80}, false)
|
|
rule2, _ := NewRule(ipnet2, []int{53, 80}, true)
|
|
rules := []Rule{
|
|
rule1,
|
|
rule2,
|
|
}
|
|
|
|
policy, _ := NewPolicy(false, rules)
|
|
|
|
allowed, rule := policy.Allowed(ip1, 80)
|
|
assert.False(t, allowed, "expected to be denied as matching rule")
|
|
assert.True(t, rule.ipNet == ipnet1, "expected to match ipnet1")
|
|
|
|
allowed, rule = policy.Allowed(ip2, 80)
|
|
assert.True(t, allowed, "expected to be allowed as matching rule")
|
|
assert.True(t, rule.ipNet == ipnet2, "expected to match ipnet1")
|
|
|
|
allowed, rule = policy.Allowed(ip2, 81)
|
|
assert.False(t, allowed, "expected to be denied as no matching rule")
|
|
assert.Nil(t, rule, "expected to be nil")
|
|
}
|