cloudflare/cloudflared

Public

mirrored from https://github.com/cloudflare/cloudflaredAvailable

CodeCommitsIssuesPull requestsActionsInsightsSecurity
2021.3.2

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

carrier/websocket.go

165lines · modecode

1package carrier
2
3import (
4 "fmt"
5 "io"
6 "net"
7 "net/http"
8 "net/http/httputil"
9
10 "github.com/cloudflare/cloudflared/ingress"
11 "github.com/cloudflare/cloudflared/socks"
12 "github.com/cloudflare/cloudflared/token"
13 cfwebsocket "github.com/cloudflare/cloudflared/websocket"
14
15 "github.com/gorilla/websocket"
16 "github.com/rs/zerolog"
17)
18
19// Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
20// This implements the functions for glider proxy (sock5) and the carrier interface
21type Websocket struct {
22 log *zerolog.Logger
23 isSocks bool
24}
25
26type wsdialer struct {
27 conn *cfwebsocket.GorillaConn
28}
29
30func (d *wsdialer) Dial(address string) (io.ReadWriteCloser, *socks.AddrSpec, error) {
31 local, ok := d.conn.LocalAddr().(*net.TCPAddr)
32 if !ok {
33 return nil, nil, fmt.Errorf("not a tcp connection")
34 }
35
36 addr := socks.AddrSpec{IP: local.IP, Port: local.Port}
37 return d.conn, &addr, nil
38}
39
40// NewWSConnection returns a new connection object
41func NewWSConnection(log *zerolog.Logger) Connection {
42 return &Websocket{
43 log: log,
44 }
45}
46
47// ServeStream will create a Websocket client stream connection to the edge
48// it blocks and writes the raw data from conn over the tunnel
49func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) error {
50 wsConn, err := createWebsocketStream(options, ws.log)
51 if err != nil {
52 ws.log.Err(err).Str(LogFieldOriginURL, options.OriginURL).Msg("failed to connect to origin")
53 return err
54 }
55 defer wsConn.Close()
56
57 ingress.Stream(wsConn, conn, ws.log)
58 return nil
59}
60
61// StartServer creates a Websocket server to listen for connections.
62// This is used on the origin (tunnel) side to take data from the muxer and send it to the origin
63func (ws *Websocket) StartServer(listener net.Listener, remote string, shutdownC <-chan struct{}) error {
64 return cfwebsocket.StartProxyServer(ws.log, listener, remote, shutdownC, ingress.DefaultStreamHandler)
65}
66
67// createWebsocketStream will create a WebSocket connection to stream data over
68// It also handles redirects from Access and will present that flow if
69// the token is not present on the request
70func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.GorillaConn, error) {
71 req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
72 if err != nil {
73 return nil, err
74 }
75 req.Header = options.Headers
76 if options.Host != "" {
77 req.Host = options.Host
78 }
79
80 dump, err := httputil.DumpRequest(req, false)
81 log.Debug().Msgf("Websocket request: %s", string(dump))
82
83 dialer := &websocket.Dialer{
84 TLSClientConfig: options.TLSClientConfig,
85 Proxy: http.ProxyFromEnvironment,
86 }
87 wsConn, resp, err := cfwebsocket.ClientConnect(req, dialer)
88 defer closeRespBody(resp)
89
90 if err != nil && IsAccessResponse(resp) {
91 // Only get Access app info if we know the origin is protected by Access
92 originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
93 if err != nil {
94 return nil, err
95 }
96
97 appInfo, err := token.GetAppInfo(originReq.URL)
98 if err != nil {
99 return nil, err
100 }
101 options.AppInfo = appInfo
102
103 wsConn, err = createAccessAuthenticatedStream(options, log)
104 if err != nil {
105 return nil, err
106 }
107 } else if err != nil {
108 return nil, err
109 }
110
111 return &cfwebsocket.GorillaConn{Conn: wsConn}, nil
112}
113
114// createAccessAuthenticatedStream will try load a token from storage and make
115// a connection with the token set on the request. If it still get redirect,
116// this probably means the token in storage is invalid (expired/revoked). If that
117// happens it deletes the token and runs the connection again, so the user can
118// login again and generate a new one.
119func createAccessAuthenticatedStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, error) {
120 wsConn, resp, err := createAccessWebSocketStream(options, log)
121 defer closeRespBody(resp)
122 if err == nil {
123 return wsConn, nil
124 }
125
126 if !IsAccessResponse(resp) {
127 return nil, err
128 }
129
130 // Access Token is invalid for some reason. Go through regen flow
131 if err := token.RemoveTokenIfExists(options.AppInfo); err != nil {
132 return nil, err
133 }
134 wsConn, resp, err = createAccessWebSocketStream(options, log)
135 defer closeRespBody(resp)
136 if err != nil {
137 return nil, err
138 }
139
140 return wsConn, nil
141}
142
143// createAccessWebSocketStream builds an Access request and makes a connection
144func createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, *http.Response, error) {
145 req, err := BuildAccessRequest(options, log)
146 if err != nil {
147 return nil, nil, err
148 }
149
150 dump, err := httputil.DumpRequest(req, false)
151 log.Debug().Msgf("Access Websocket request: %s", string(dump))
152
153 conn, resp, err := cfwebsocket.ClientConnect(req, nil)
154
155 if resp != nil {
156 r, err := httputil.DumpResponse(resp, true)
157 if r != nil {
158 log.Debug().Msgf("Websocket response: %q", r)
159 } else if err != nil {
160 log.Debug().Msgf("Websocket response error: %v", err)
161 }
162 }
163
164 return conn, resp, err
165}
166