cloudflare/cloudflared

Public

mirrored from https://github.com/cloudflare/cloudflaredAvailable

CodeCommitsIssuesPull requestsActionsInsightsSecurity
2024.4.1

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

CHANGES.md

356lines · modecode

1## 2024.2.1
2### Notices
3- Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
4
5## 2023.9.0
6### Notices
7- The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
8## 2023.7.0
9### New Features
10- You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
11
12## 2023.4.1
13### New Features
14- You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail <TUNNEL-ID>`. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.
15
16## 2023.3.2
17### Notices
18- Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)
19
20## 2023.3.1
21### Breaking Change
22- Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.
23
24### Security Fixes
25- Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.
26
27### Bug Fixes
28- Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.
29
30## 2023.2.2
31### Notices
32- Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.
33- h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.
34
35## 2023.2.1
36### Bug fixes
37- Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.
38- cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.
39- Fixed a bug introduced in the previous release where debug endpoints were removed.
40
41## 2022.12.0
42### Improvements
43- cloudflared now attempts to try other edge addresses before falling back to a lower protocol.
44- cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.
45- cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.
46
47## 2022.9.0
48### New Features
49- cloudflared now rejects ingress rules with invalid http status codes for http_status.
50
51## 2022.8.1
52### New Features
53- cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower
54 protocol on connection failures.
55
56## 2022.7.1
57### New Features
58- It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.
59
60### Bug Fixes
61- Several bug fixes related with QUIC transport (used between cloudflared tunnel and Cloudflare Global Network). Updating to this version is highly recommended.
62
63## 2022.4.0
64### Bug Fixes
65- `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
66that allows to run the Tunnel.
67
68## 2022.3.4
69### New Features
70- It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is
71achievable with: `cloudflared tunnel token --cred-file /path/to/file.json TUNNEL`. This new feature only works for
72Tunnels created with cloudflared version 2022.3.0 or more recent.
73
74### Bug Fixes
75- `cloudflared service install` now starts the underlying agent service on Linux operating system (similarly to the
76behaviour in Windows and MacOS).
77
78## 2022.3.3
79### Bug Fixes
80- `cloudflared service install` now starts the underlying agent service on Windows operating system (similarly to the
81behaviour in MacOS).
82
83## 2022.3.1
84### Bug Fixes
85- Various fixes to the reliability of `quic` protocol, including an edge case that could lead to cloudflared crashing.
86
87## 2022.3.0
88### New Features
89- It is now possible to configure Ingress Rules to point to an origin served by unix socket with either HTTP or HTTPS.
90If the origin starts with `unix:/` then we assume HTTP (existing behavior). Otherwise, the origin can start with
91`unix+tls:/` for HTTPS.
92
93## 2022.2.1
94### New Features
95- This project now has a new LICENSE that is more compliant with open source purposes.
96
97### Bug Fixes
98- Various fixes to the reliability of `quic` protocol.
99
100## 2022.1.3
101### New Features
102- New `cloudflared tunnel vnet` commands to allow for private routing to be virtualized. This means that the same CIDR
103can now be used to point to two different Tunnels with `cloudflared tunnel route ip` command. More information will be
104made available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.
105
106### Bug Fixes
107- Correctly handle proxying UDP datagrams with no payload.
108- Bug fix for origins that use Server-Sent Events (SSE).
109
110## 2022.1.0
111### Improvements
112- If a specific `protocol` property is defined (e.g. for `quic`), cloudflared no longer falls back to an older protocol
113(such as `http2`) in face of connectivity errors. This is important because some features are only supported in a specific
114protocol (e.g. UDP proxying only works for `quic`). Hence, if a user chooses a protocol, cloudflared now adheres to it
115no matter what.
116
117### Bug Fixes
118- Stopping cloudflared running with `quic` protocol now respects graceful shutdown.
119
120## 2021.12.2
121### Bug Fixes
122- Fix logging when `quic` transport is used and UDP traffic is proxied.
123- FIPS compliant cloudflared binaries will now be released as separate artifacts. Recall that these are only for linux
124and amd64.
125
126## 2021.12.1
127### Bug Fixes
128 - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption
129methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted
130FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
131
132## 2021.12.0
133### New Features
134- Cloudflared binary released for amd64 linux is now FIPS compliant.
135
136### Improvements
137- Logging about connectivity to Cloudflare edge now only yields `ERR` level logging if there are no connections to
138Cloudflare edge that are active. Otherwise it logs `WARN` level.
139
140### Bug Fixes
141- Fixes Github issue #501.
142
143## 2021.11.0
144### Improvements
145- Fallback from `protocol:quic` to `protocol:http2` immediately if UDP connectivity isn't available. This could be because of a firewall or
146egress rule.
147
148## 2021.10.4
149### Improvements
150- Collect quic transport metrics on RTT, packets and bytes transferred.
151
152### Bug Fixes
153- Fix race condition that was writing to the connection after the http2 handler returns.
154
155## 2021.9.2
156
157### New features
158- `cloudflared` can now run with `quic` as the underlying tunnel transport protocol. To try it, change or add "protocol: quic" to your config.yml file or
159run cloudflared with the `--protocol quic` flag. e.g:
160 `cloudflared tunnel --protocol quic run <tunnel-name>`
161
162### Bug Fixes
163- Fixed some generic transport bugs in `quic` mode. It's advised to upgrade to at least this version (2021.9.2) when running `cloudflared`
164with `quic` protocol.
165- `cloudflared` docker images will now show version.
166
167
168## 2021.8.4
169### Improvements
170- Temporary tunnels (those hosted on trycloudflare.com that do not require a Cloudflare login) now run as Named Tunnels
171underneath. We recall that these tunnels should not be relied upon for production usage as they come with no guarantee
172of uptime. Previous cloudflared versions will soon be unable to run legacy temporary tunnels and will require an update
173(to this version or more recent).
174
175## 2021.8.2
176### Improvements
177- Because Equinox os shutting down, all cloudflared releases are now present [here](https://github.com/cloudflare/cloudflared/releases).
178[Equinox](https://dl.equinox.io/cloudflare/cloudflared/stable) will no longer receive updates.
179
180## 2021.8.0
181### Bug fixes
182- Prevents tunnel from accidentally running when only proxy-dns should run.
183
184### Improvements
185- If auto protocol transport lookup fails, we now default to a transport instead of not connecting.
186
187## 2021.6.0
188### Bug Fixes
189- Fixes a http2 transport (the new default for Named Tunnels) to work with unix socket origins.
190
191
192## 2021.5.10
193### Bug Fixes
194- Fixes a memory leak in h2mux transport that connects cloudflared to Cloudflare edge.
195
196
197## 2021.5.9
198### New Features
199- Uses new Worker based login helper service to facilitate token exchange in cloudflared flows.
200
201### Bug Fixes
202- Fixes Centos-7 builds.
203
204## 2021.5.8
205### New Features
206- When creating a DNS record to point a hostname at a tunnel, you can now use --overwrite-dns to overwrite any existing
207 DNS records with that hostname. This works both when using the CLI to provision DNS, as well as when starting an adhoc
208 named tunnel, e.g.:
209 - `cloudflared tunnel route dns --overwrite-dns foo-tunnel foo.example.com`
210 - `cloudflared tunnel --overwrite-dns --name foo-tunnel --hostname foo.example.com`
211
212## 2021.5.7
213### New Features
214- Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network.
215
216## 2021.5.0
217
218### New Features
219- It is now possible to run the same tunnel using more than one `cloudflared` instance. This is a server-side change and
220 is compatible with any client version that uses Named Tunnels.
221
222 To get started, visit our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas).
223- `cloudflared tunnel ingress validate` will now warn about unused keys in your config file. This is helpful for
224 detecting typos in your config.
225- If `cloudflared` detects it is running inside a Linux container, it will limit itself to use only the number of CPUs
226 the pod has been granted, instead of trying to use every CPU available.
227
228## 2021.4.0
229
230### Bug Fixes
231
232- Fixed proxying of websocket requests to avoid possibility of losing initial frames that were sent in the same TCP
233 packet as response headers [#345](https://github.com/cloudflare/cloudflared/issues/345).
234- `proxy-dns` option now works in conjunction with running a named tunnel [#346](https://github.com/cloudflare/cloudflared/issues/346).
235
236## 2021.3.6
237
238### Bug Fixes
239
240- Reverted 2021.3.5 improvement to use HTTP/2 in a best-effort manner between cloudflared and origin services because
241 it was found to break in some cases.
242
243## 2021.3.5
244
245### Improvements
246
247 - HTTP/2 transport is now always chosen if origin server supports it and the service url scheme is HTTPS.
248 This was previously done in a best attempt manner.
249
250### Bug Fixes
251
252 - The MacOS binaries were not successfully released in 2021.3.3 and 2021.3.4. This release is aimed at addressing that.
253
254## 2021.3.3
255
256### Improvements
257
258- Tunnel create command, as well as, running ad-hoc tunnels using `cloudflared tunnel -name NAME`, will not overwrite
259 existing files when writing tunnel credentials.
260
261### Bug Fixes
262
263- Tunnel create and delete commands no longer use path to credentials from the configuration file.
264 If you need ot place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
265- Access ssh-gen creates properly named keys for SSH short lived certs.
266
267
268## 2021.3.2
269
270### New Features
271
272- It is now possible to obtain more detailed information about the cloudflared connectors to Cloudflare Edge via
273 `cloudflared tunnel info <name/uuid>`. It is possible to sort the output as well as output in different formats,
274 such as: `cloudflared tunnel info --sort-by version --invert-sort --output json <name/uuid>`.
275 You can obtain more information via `cloudflared tunnel info --help`.
276
277### Bug Fixes
278
279- Don't look for configuration file in default paths when `--config FILE` flag is present after `tunnel` subcommand.
280- cloudflared access token command now functions correctly with the new token-per-app change from 2021.3.0.
281
282
283## 2021.3.0
284
285### New Features
286
287- [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) specific commands
288 now show up in the `cloudflared tunnel route --help` output.
289- There is a new ingress type that allows cloudflared to proxy SOCKS5 as a bastion. You can use it with an ingress
290 rule by adding `service: socks-proxy`. Traffic is routed to any destination specified by the SOCKS5 packet but only
291 if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address
292 within it:
293```
294ingress:
295 - hostname: socks.example.com
296 service: socks-proxy
297 originRequest:
298 ipRules:
299 - prefix: 192.168.1.8/32
300 allow: false
301 - prefix: 192.168.1.0/24
302 ports: [80, 443]
303 allow: true
304```
305
306
307### Improvements
308
309- Nested commands, such as `cloudflared tunnel run`, now consider CLI arguments even if they appear earlier on the
310 command. For instance, `cloudflared --config config.yaml tunnel run` will now behave the same as
311 `cloudflared tunnel --config config.yaml run`
312- Warnings are now shown in the output logs whenever cloudflared is running without the most recent version and
313 `no-autoupdate` is `true`.
314- Access tokens are now stored per Access App instead of per request path. This decreases the number of times that the
315 user is required to authenticate with an Access policy redundantly.
316
317### Bug Fixes
318
319- GitHub [PR #317](https://github.com/cloudflare/cloudflared/issues/317) was broken in 2021.2.5 and is now fixed again.
320
321## 2021.2.5
322
323### New Features
324
325- We introduce [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) in
326 beta mode. Cloudflare customer can now connect users and private networks with RFC 1918 IP addresses via the
327 Cloudflare edge network. Users running Cloudflare WARP client in the same organization can connect to the services
328 made available by Argo Tunnel IP routes. Please share your feedback in the GitHub issue tracker.
329
330## 2021.2.4
331
332### Bug Fixes
333
334- Reverts the Improvement released in 2021.2.3 for CLI arguments as it introduced a regression where cloudflared failed
335 to read URLs in configuration files.
336- cloudflared now logs the reason for failed connections if the error is recoverable.
337
338## 2021.2.3
339
340### Backward Incompatible Changes
341
342- Removes db-connect. The Cloudflare Workers product will continue to support db-connect implementations with versions
343 of cloudflared that predate this release and include support for db-connect.
344
345### New Features
346
347- Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318).
348
349### Improvements
350
351- (reverted) Nested command line argument handling.
352
353### Bug Fixes
354
355- The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared
356 exhausting CPU usage when faced with connectivity issues.
357