cloudflare/cloudflared

Public

mirrored from https://github.com/cloudflare/cloudflaredAvailable

CodeCommitsIssuesPull requestsActionsInsightsSecurity
2024.8.2

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

config/configuration.go

451lines · modecode

1package config
2
3import (
4 "encoding/json"
5 "fmt"
6 "io"
7 "net/url"
8 "os"
9 "path/filepath"
10 "runtime"
11 "strconv"
12 "time"
13
14 homedir "github.com/mitchellh/go-homedir"
15 "github.com/pkg/errors"
16 "github.com/rs/zerolog"
17 "github.com/urfave/cli/v2"
18 yaml "gopkg.in/yaml.v3"
19
20 "github.com/cloudflare/cloudflared/validation"
21)
22
23var (
24 // DefaultConfigFiles is the file names from which we attempt to read configuration.
25 DefaultConfigFiles = []string{"config.yml", "config.yaml"}
26
27 // DefaultUnixConfigLocation is the primary location to find a config file
28 DefaultUnixConfigLocation = "/usr/local/etc/cloudflared"
29
30 // DefaultUnixLogLocation is the primary location to find log files
31 DefaultUnixLogLocation = "/var/log/cloudflared"
32
33 // Launchd doesn't set root env variables, so there is default
34 // Windows default config dir was ~/cloudflare-warp in documentation; let's keep it compatible
35 defaultUserConfigDirs = []string{"~/.cloudflared", "~/.cloudflare-warp", "~/cloudflare-warp"}
36 defaultNixConfigDirs = []string{"/etc/cloudflared", DefaultUnixConfigLocation}
37
38 ErrNoConfigFile = fmt.Errorf("Cannot determine default configuration path. No file %v in %v", DefaultConfigFiles, DefaultConfigSearchDirectories())
39)
40
41const (
42 // BastionFlag is to enable bastion, or jump host, operation
43 BastionFlag = "bastion"
44)
45
46// DefaultConfigDirectory returns the default directory of the config file
47func DefaultConfigDirectory() string {
48 if runtime.GOOS == "windows" {
49 path := os.Getenv("CFDPATH")
50 if path == "" {
51 path = filepath.Join(os.Getenv("ProgramFiles(x86)"), "cloudflared")
52 if _, err := os.Stat(path); os.IsNotExist(err) { // doesn't exist, so return an empty failure string
53 return ""
54 }
55 }
56 return path
57 }
58 return DefaultUnixConfigLocation
59}
60
61// DefaultLogDirectory returns the default directory for log files
62func DefaultLogDirectory() string {
63 if runtime.GOOS == "windows" {
64 return DefaultConfigDirectory()
65 }
66 return DefaultUnixLogLocation
67}
68
69// DefaultConfigPath returns the default location of a config file
70func DefaultConfigPath() string {
71 dir := DefaultConfigDirectory()
72 if dir == "" {
73 return DefaultConfigFiles[0]
74 }
75 return filepath.Join(dir, DefaultConfigFiles[0])
76}
77
78// DefaultConfigSearchDirectories returns the default folder locations of the config
79func DefaultConfigSearchDirectories() []string {
80 dirs := make([]string, len(defaultUserConfigDirs))
81 copy(dirs, defaultUserConfigDirs)
82 if runtime.GOOS != "windows" {
83 dirs = append(dirs, defaultNixConfigDirs...)
84 }
85 return dirs
86}
87
88// FileExists checks to see if a file exist at the provided path.
89func FileExists(path string) (bool, error) {
90 f, err := os.Open(path)
91 if err != nil {
92 if os.IsNotExist(err) {
93 // ignore missing files
94 return false, nil
95 }
96 return false, err
97 }
98 _ = f.Close()
99 return true, nil
100}
101
102// FindDefaultConfigPath returns the first path that contains a config file.
103// If none of the combination of DefaultConfigSearchDirectories() and DefaultConfigFiles
104// contains a config file, return empty string.
105func FindDefaultConfigPath() string {
106 for _, configDir := range DefaultConfigSearchDirectories() {
107 for _, configFile := range DefaultConfigFiles {
108 dirPath, err := homedir.Expand(configDir)
109 if err != nil {
110 continue
111 }
112 path := filepath.Join(dirPath, configFile)
113 if ok, _ := FileExists(path); ok {
114 return path
115 }
116 }
117 }
118 return ""
119}
120
121// FindOrCreateConfigPath returns the first path that contains a config file
122// or creates one in the primary default path if it doesn't exist
123func FindOrCreateConfigPath() string {
124 path := FindDefaultConfigPath()
125
126 if path == "" {
127 // create the default directory if it doesn't exist
128 path = DefaultConfigPath()
129 if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil {
130 return ""
131 }
132
133 // write a new config file out
134 file, err := os.Create(path)
135 if err != nil {
136 return ""
137 }
138 defer file.Close()
139
140 logDir := DefaultLogDirectory()
141 _ = os.MkdirAll(logDir, os.ModePerm) // try and create it. Doesn't matter if it succeed or not, only byproduct will be no logs
142
143 c := Root{
144 LogDirectory: logDir,
145 }
146 if err := yaml.NewEncoder(file).Encode(&c); err != nil {
147 return ""
148 }
149 }
150
151 return path
152}
153
154// ValidateUnixSocket ensures --unix-socket param is used exclusively
155// i.e. it fails if a user specifies both --url and --unix-socket
156func ValidateUnixSocket(c *cli.Context) (string, error) {
157 if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) {
158 return "", errors.New("--unix-socket must be used exclusivly.")
159 }
160 return c.String("unix-socket"), nil
161}
162
163// ValidateUrl will validate url flag correctness. It can be either from --url or argument
164// Notice ValidateUnixSocket, it will enforce --unix-socket is not used with --url or argument
165func ValidateUrl(c *cli.Context, allowURLFromArgs bool) (*url.URL, error) {
166 var url = c.String("url")
167 if allowURLFromArgs && c.NArg() > 0 {
168 if c.IsSet("url") {
169 return nil, errors.New("Specified origin urls using both --url and argument. Decide which one you want, I can only support one.")
170 }
171 url = c.Args().Get(0)
172 }
173 validUrl, err := validation.ValidateUrl(url)
174 return validUrl, err
175}
176
177type UnvalidatedIngressRule struct {
178 Hostname string `json:"hostname,omitempty"`
179 Path string `json:"path,omitempty"`
180 Service string `json:"service,omitempty"`
181 OriginRequest OriginRequestConfig `yaml:"originRequest" json:"originRequest"`
182}
183
184// OriginRequestConfig is a set of optional fields that users may set to
185// customize how cloudflared sends requests to origin services. It is used to set
186// up general config that apply to all rules, and also, specific per-rule
187// config.
188// Note:
189// - To specify a time.Duration in go-yaml, use e.g. "3s" or "24h".
190// - To specify a time.Duration in json, use int64 of the nanoseconds
191type OriginRequestConfig struct {
192 // HTTP proxy timeout for establishing a new connection
193 ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"`
194 // HTTP proxy timeout for completing a TLS handshake
195 TLSTimeout *CustomDuration `yaml:"tlsTimeout" json:"tlsTimeout,omitempty"`
196 // HTTP proxy TCP keepalive duration
197 TCPKeepAlive *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"`
198 // HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback
199 NoHappyEyeballs *bool `yaml:"noHappyEyeballs" json:"noHappyEyeballs,omitempty"`
200 // HTTP proxy maximum keepalive connection pool size
201 KeepAliveConnections *int `yaml:"keepAliveConnections" json:"keepAliveConnections,omitempty"`
202 // HTTP proxy timeout for closing an idle connection
203 KeepAliveTimeout *CustomDuration `yaml:"keepAliveTimeout" json:"keepAliveTimeout,omitempty"`
204 // Sets the HTTP Host header for the local webserver.
205 HTTPHostHeader *string `yaml:"httpHostHeader" json:"httpHostHeader,omitempty"`
206 // Hostname on the origin server certificate.
207 OriginServerName *string `yaml:"originServerName" json:"originServerName,omitempty"`
208 // Auto configure the Hostname on the origin server certificate.
209 MatchSNIToHost *bool `yaml:"matchSNItoHost" json:"matchSNItoHost,omitempty"`
210 // Path to the CA for the certificate of your origin.
211 // This option should be used only if your certificate is not signed by Cloudflare.
212 CAPool *string `yaml:"caPool" json:"caPool,omitempty"`
213 // Disables TLS verification of the certificate presented by your origin.
214 // Will allow any certificate from the origin to be accepted.
215 // Note: The connection from your machine to Cloudflare's Edge is still encrypted.
216 NoTLSVerify *bool `yaml:"noTLSVerify" json:"noTLSVerify,omitempty"`
217 // Disables chunked transfer encoding.
218 // Useful if you are running a WSGI server.
219 DisableChunkedEncoding *bool `yaml:"disableChunkedEncoding" json:"disableChunkedEncoding,omitempty"`
220 // Runs as jump host
221 BastionMode *bool `yaml:"bastionMode" json:"bastionMode,omitempty"`
222 // Listen address for the proxy.
223 ProxyAddress *string `yaml:"proxyAddress" json:"proxyAddress,omitempty"`
224 // Listen port for the proxy.
225 ProxyPort *uint `yaml:"proxyPort" json:"proxyPort,omitempty"`
226 // Valid options are 'socks' or empty.
227 ProxyType *string `yaml:"proxyType" json:"proxyType,omitempty"`
228 // IP rules for the proxy service
229 IPRules []IngressIPRule `yaml:"ipRules" json:"ipRules,omitempty"`
230 // Attempt to connect to origin with HTTP/2
231 Http2Origin *bool `yaml:"http2Origin" json:"http2Origin,omitempty"`
232 // Access holds all access related configs
233 Access *AccessConfig `yaml:"access" json:"access,omitempty"`
234}
235
236type AccessConfig struct {
237 // Required when set to true will fail every request that does not arrive through an access authenticated endpoint.
238 Required bool `yaml:"required" json:"required,omitempty"`
239
240 // TeamName is the organization team name to get the public key certificates for.
241 TeamName string `yaml:"teamName" json:"teamName"`
242
243 // AudTag is the AudTag to verify access JWT against.
244 AudTag []string `yaml:"audTag" json:"audTag"`
245}
246
247type IngressIPRule struct {
248 Prefix *string `yaml:"prefix" json:"prefix"`
249 Ports []int `yaml:"ports" json:"ports"`
250 Allow bool `yaml:"allow" json:"allow"`
251}
252
253type Configuration struct {
254 TunnelID string `yaml:"tunnel"`
255 Ingress []UnvalidatedIngressRule
256 WarpRouting WarpRoutingConfig `yaml:"warp-routing"`
257 OriginRequest OriginRequestConfig `yaml:"originRequest"`
258 sourceFile string
259}
260
261type WarpRoutingConfig struct {
262 ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"`
263 TCPKeepAlive *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"`
264}
265
266type configFileSettings struct {
267 Configuration `yaml:",inline"`
268 // older settings will be aggregated into the generic map, should be read via cli.Context
269 Settings map[string]interface{} `yaml:",inline"`
270}
271
272func (c *Configuration) Source() string {
273 return c.sourceFile
274}
275
276func (c *configFileSettings) Int(name string) (int, error) {
277 if raw, ok := c.Settings[name]; ok {
278 if v, ok := raw.(int); ok {
279 return v, nil
280 }
281 return 0, fmt.Errorf("expected int found %T for %s", raw, name)
282 }
283 return 0, nil
284}
285
286func (c *configFileSettings) Duration(name string) (time.Duration, error) {
287 if raw, ok := c.Settings[name]; ok {
288 switch v := raw.(type) {
289 case time.Duration:
290 return v, nil
291 case string:
292 return time.ParseDuration(v)
293 }
294 return 0, fmt.Errorf("expected duration found %T for %s", raw, name)
295 }
296 return 0, nil
297}
298
299func (c *configFileSettings) Float64(name string) (float64, error) {
300 if raw, ok := c.Settings[name]; ok {
301 if v, ok := raw.(float64); ok {
302 return v, nil
303 }
304 return 0, fmt.Errorf("expected float found %T for %s", raw, name)
305 }
306 return 0, nil
307}
308
309func (c *configFileSettings) String(name string) (string, error) {
310 if raw, ok := c.Settings[name]; ok {
311 if v, ok := raw.(string); ok {
312 return v, nil
313 }
314 return "", fmt.Errorf("expected string found %T for %s", raw, name)
315 }
316 return "", nil
317}
318
319func (c *configFileSettings) StringSlice(name string) ([]string, error) {
320 if raw, ok := c.Settings[name]; ok {
321 if slice, ok := raw.([]interface{}); ok {
322 strSlice := make([]string, len(slice))
323 for i, v := range slice {
324 str, ok := v.(string)
325 if !ok {
326 return nil, fmt.Errorf("expected string, found %T for %v", i, v)
327 }
328 strSlice[i] = str
329 }
330 return strSlice, nil
331 }
332 return nil, fmt.Errorf("expected string slice found %T for %s", raw, name)
333 }
334 return nil, nil
335}
336
337func (c *configFileSettings) IntSlice(name string) ([]int, error) {
338 if raw, ok := c.Settings[name]; ok {
339 if slice, ok := raw.([]interface{}); ok {
340 intSlice := make([]int, len(slice))
341 for i, v := range slice {
342 str, ok := v.(int)
343 if !ok {
344 return nil, fmt.Errorf("expected int, found %T for %v ", v, v)
345 }
346 intSlice[i] = str
347 }
348 return intSlice, nil
349 }
350 if v, ok := raw.([]int); ok {
351 return v, nil
352 }
353 return nil, fmt.Errorf("expected int slice found %T for %s", raw, name)
354 }
355 return nil, nil
356}
357
358func (c *configFileSettings) Generic(name string) (cli.Generic, error) {
359 return nil, errors.New("option type Generic not supported")
360}
361
362func (c *configFileSettings) Bool(name string) (bool, error) {
363 if raw, ok := c.Settings[name]; ok {
364 if v, ok := raw.(bool); ok {
365 return v, nil
366 }
367 return false, fmt.Errorf("expected boolean found %T for %s", raw, name)
368 }
369 return false, nil
370}
371
372var configuration configFileSettings
373
374func GetConfiguration() *Configuration {
375 return &configuration.Configuration
376}
377
378// ReadConfigFile returns InputSourceContext initialized from the configuration file.
379// On repeat calls returns with the same file, returns without reading the file again; however,
380// if value of "config" flag changes, will read the new config file
381func ReadConfigFile(c *cli.Context, log *zerolog.Logger) (settings *configFileSettings, warnings string, err error) {
382 configFile := c.String("config")
383 if configuration.Source() == configFile || configFile == "" {
384 if configuration.Source() == "" {
385 return nil, "", ErrNoConfigFile
386 }
387 return &configuration, "", nil
388 }
389
390 log.Debug().Msgf("Loading configuration from %s", configFile)
391 file, err := os.Open(configFile)
392 if err != nil {
393 // If does not exist and config file was not specificly specified then return ErrNoConfigFile found.
394 if os.IsNotExist(err) && !c.IsSet("config") {
395 err = ErrNoConfigFile
396 }
397 return nil, "", err
398 }
399 defer file.Close()
400 if err := yaml.NewDecoder(file).Decode(&configuration); err != nil {
401 if err == io.EOF {
402 log.Error().Msgf("Configuration file %s was empty", configFile)
403 return &configuration, "", nil
404 }
405 return nil, "", errors.Wrap(err, "error parsing YAML in config file at "+configFile)
406 }
407 configuration.sourceFile = configFile
408
409 // Parse it again, with strict mode, to find warnings.
410 if file, err := os.Open(configFile); err == nil {
411 decoder := yaml.NewDecoder(file)
412 decoder.KnownFields(true)
413 var unusedConfig configFileSettings
414 if err := decoder.Decode(&unusedConfig); err != nil {
415 warnings = err.Error()
416 }
417 }
418
419 return &configuration, warnings, nil
420}
421
422// A CustomDuration is a Duration that has custom serialization for JSON.
423// JSON in Javascript assumes that int fields are 32 bits and Duration fields are deserialized assuming that numbers
424// are in nanoseconds, which in 32bit integers limits to just 2 seconds.
425// This type assumes that when serializing/deserializing from JSON, that the number is in seconds, while it maintains
426// the YAML serde assumptions.
427type CustomDuration struct {
428 time.Duration
429}
430
431func (s CustomDuration) MarshalJSON() ([]byte, error) {
432 return json.Marshal(s.Duration.Seconds())
433}
434
435func (s *CustomDuration) UnmarshalJSON(data []byte) error {
436 seconds, err := strconv.ParseInt(string(data), 10, 64)
437 if err != nil {
438 return err
439 }
440
441 s.Duration = time.Duration(seconds * int64(time.Second))
442 return nil
443}
444
445func (s *CustomDuration) MarshalYAML() (interface{}, error) {
446 return s.Duration.String(), nil
447}
448
449func (s *CustomDuration) UnmarshalYAML(unmarshal func(interface{}) error) error {
450 return unmarshal(&s.Duration)
451}
452