cloudflare/cloudflared
Publicmirrored from https://github.com/cloudflare/cloudflaredAvailable
origin/discovery.go
143lines · modecode
| 1 | package origin |
| 2 | |
| 3 | import ( |
| 4 | "context" |
| 5 | "crypto/tls" |
| 6 | "fmt" |
| 7 | "net" |
| 8 | "time" |
| 9 | |
| 10 | "github.com/pkg/errors" |
| 11 | log "github.com/sirupsen/logrus" |
| 12 | ) |
| 13 | |
| 14 | const ( |
| 15 | // Used to discover HA Warp servers |
| 16 | srvService = "warp" |
| 17 | srvProto = "tcp" |
| 18 | srvName = "cloudflarewarp.com" |
| 19 | |
| 20 | // Used to fallback to DoT when we can't use the default resolver to |
| 21 | // discover HA Warp servers (GitHub issue #75). |
| 22 | dotServerName = "cloudflare-dns.com" |
| 23 | dotServerAddr = "1.1.1.1:853" |
| 24 | dotTimeout = time.Duration(15 * time.Second) |
| 25 | ) |
| 26 | |
| 27 | var friendlyDNSErrorLines = []string{ |
| 28 | `Please try the following things to diagnose this issue:`, |
| 29 | ` 1. ensure that cloudflarewarp.com is returning "warp" service records.`, |
| 30 | ` Run your system's equivalent of: dig srv _warp._tcp.cloudflarewarp.com`, |
| 31 | ` 2. ensure that your DNS resolver is not returning compressed SRV records.`, |
| 32 | ` See GitHub issue https://github.com/golang/go/issues/27546`, |
| 33 | ` For example, you could use Cloudflare's 1.1.1.1 as your resolver:`, |
| 34 | ` https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/`, |
| 35 | } |
| 36 | |
| 37 | func ResolveEdgeIPs(logger *log.Logger, addresses []string) ([]*net.TCPAddr, error) { |
| 38 | if len(addresses) > 0 { |
| 39 | var tcpAddrs []*net.TCPAddr |
| 40 | for _, address := range addresses { |
| 41 | // Addresses specified (for testing, usually) |
| 42 | tcpAddr, err := net.ResolveTCPAddr("tcp", address) |
| 43 | if err != nil { |
| 44 | return nil, err |
| 45 | } |
| 46 | tcpAddrs = append(tcpAddrs, tcpAddr) |
| 47 | } |
| 48 | return tcpAddrs, nil |
| 49 | } |
| 50 | // HA service discovery lookup |
| 51 | _, addrs, err := net.LookupSRV(srvService, srvProto, srvName) |
| 52 | if err != nil { |
| 53 | // Try to fall back to DoT from Cloudflare directly. |
| 54 | // |
| 55 | // Note: Instead of DoT, we could also have used DoH. Either of these: |
| 56 | // - directly via the JSON API (https://1.1.1.1/dns-query?ct=application/dns-json&name=_warp._tcp.cloudflarewarp.com&type=srv) |
| 57 | // - indirectly via `tunneldns.NewUpstreamHTTPS()` |
| 58 | // But both of these cases miss out on a key feature from the stdlib: |
| 59 | // "The returned records are sorted by priority and randomized by weight within a priority." |
| 60 | // (https://golang.org/pkg/net/#Resolver.LookupSRV) |
| 61 | // Does this matter? I don't know. It may someday. Let's use DoT so we don't need to worry about it. |
| 62 | // See also: Go feature request for stdlib-supported DoH: https://github.com/golang/go/issues/27552 |
| 63 | r := fallbackResolver(dotServerName, dotServerAddr) |
| 64 | ctx, cancel := context.WithTimeout(context.Background(), dotTimeout) |
| 65 | defer cancel() |
| 66 | _, fallbackAddrs, fallbackErr := r.LookupSRV(ctx, srvService, srvProto, srvName) |
| 67 | if fallbackErr != nil || len(fallbackAddrs) == 0 { |
| 68 | // use the original DNS error `err` in messages, not `fallbackErr` |
| 69 | logger.Errorln("Error looking up Cloudflare edge IPs: the DNS query failed:", err) |
| 70 | for _, s := range friendlyDNSErrorLines { |
| 71 | logger.Errorln(s) |
| 72 | } |
| 73 | return nil, errors.Wrap(err, "Could not lookup srv records on _warp._tcp.cloudflarewarp.com") |
| 74 | } |
| 75 | // Accept the fallback results and keep going |
| 76 | addrs = fallbackAddrs |
| 77 | } |
| 78 | var resolvedIPsPerCNAME [][]*net.TCPAddr |
| 79 | var lookupErr error |
| 80 | for _, addr := range addrs { |
| 81 | ips, err := ResolveSRVToTCP(addr) |
| 82 | if err != nil || len(ips) == 0 { |
| 83 | // don't return early, we might be able to resolve other addresses |
| 84 | lookupErr = err |
| 85 | continue |
| 86 | } |
| 87 | resolvedIPsPerCNAME = append(resolvedIPsPerCNAME, ips) |
| 88 | } |
| 89 | ips := FlattenServiceIPs(resolvedIPsPerCNAME) |
| 90 | if lookupErr == nil && len(ips) == 0 { |
| 91 | return nil, fmt.Errorf("Unknown service discovery error") |
| 92 | } |
| 93 | return ips, lookupErr |
| 94 | } |
| 95 | |
| 96 | func ResolveSRVToTCP(srv *net.SRV) ([]*net.TCPAddr, error) { |
| 97 | ips, err := net.LookupIP(srv.Target) |
| 98 | if err != nil { |
| 99 | return nil, err |
| 100 | } |
| 101 | addrs := make([]*net.TCPAddr, len(ips)) |
| 102 | for i, ip := range ips { |
| 103 | addrs[i] = &net.TCPAddr{IP: ip, Port: int(srv.Port)} |
| 104 | } |
| 105 | return addrs, nil |
| 106 | } |
| 107 | |
| 108 | // FlattenServiceIPs transposes and flattens the input slices such that the |
| 109 | // first element of the n inner slices are the first n elements of the result. |
| 110 | func FlattenServiceIPs(ipsByService [][]*net.TCPAddr) []*net.TCPAddr { |
| 111 | var result []*net.TCPAddr |
| 112 | for len(ipsByService) > 0 { |
| 113 | filtered := ipsByService[:0] |
| 114 | for _, ips := range ipsByService { |
| 115 | if len(ips) == 0 { |
| 116 | // sanity check |
| 117 | continue |
| 118 | } |
| 119 | result = append(result, ips[0]) |
| 120 | if len(ips) > 1 { |
| 121 | filtered = append(filtered, ips[1:]) |
| 122 | } |
| 123 | } |
| 124 | ipsByService = filtered |
| 125 | } |
| 126 | return result |
| 127 | } |
| 128 | |
| 129 | // Inspiration: https://github.com/artyom/dot/blob/master/dot.go |
| 130 | func fallbackResolver(serverName, serverAddress string) *net.Resolver { |
| 131 | return &net.Resolver{ |
| 132 | PreferGo: true, |
| 133 | Dial: func(ctx context.Context, _ string, _ string) (net.Conn, error) { |
| 134 | var dialer net.Dialer |
| 135 | conn, err := dialer.DialContext(ctx, "tcp", serverAddress) |
| 136 | if err != nil { |
| 137 | return nil, err |
| 138 | } |
| 139 | tlsConfig := &tls.Config{ServerName: serverName} |
| 140 | return tls.Client(conn, tlsConfig), nil |
| 141 | }, |
| 142 | } |
| 143 | } |
| 144 | |