cloudflare/cloudflared
Publicmirrored from https://github.com/cloudflare/cloudflaredAvailable
config/configuration.go
454lines · modecode
| 1 | package config |
| 2 | |
| 3 | import ( |
| 4 | "encoding/json" |
| 5 | "fmt" |
| 6 | "io" |
| 7 | "net/url" |
| 8 | "os" |
| 9 | "path/filepath" |
| 10 | "runtime" |
| 11 | "strconv" |
| 12 | "time" |
| 13 | |
| 14 | homedir "github.com/mitchellh/go-homedir" |
| 15 | "github.com/pkg/errors" |
| 16 | "github.com/rs/zerolog" |
| 17 | "github.com/urfave/cli/v2" |
| 18 | yaml "gopkg.in/yaml.v3" |
| 19 | |
| 20 | "github.com/cloudflare/cloudflared/validation" |
| 21 | ) |
| 22 | |
| 23 | var ( |
| 24 | // DefaultConfigFiles is the file names from which we attempt to read configuration. |
| 25 | DefaultConfigFiles = []string{"config.yml", "config.yaml"} |
| 26 | |
| 27 | // DefaultUnixConfigLocation is the primary location to find a config file |
| 28 | DefaultUnixConfigLocation = "/usr/local/etc/cloudflared" |
| 29 | |
| 30 | // DefaultUnixLogLocation is the primary location to find log files |
| 31 | DefaultUnixLogLocation = "/var/log/cloudflared" |
| 32 | |
| 33 | // Launchd doesn't set root env variables, so there is default |
| 34 | // Windows default config dir was ~/cloudflare-warp in documentation; let's keep it compatible |
| 35 | defaultUserConfigDirs = []string{"~/.cloudflared", "~/.cloudflare-warp", "~/cloudflare-warp"} |
| 36 | defaultNixConfigDirs = []string{"/etc/cloudflared", DefaultUnixConfigLocation} |
| 37 | |
| 38 | ErrNoConfigFile = fmt.Errorf("Cannot determine default configuration path. No file %v in %v", DefaultConfigFiles, DefaultConfigSearchDirectories()) |
| 39 | ) |
| 40 | |
| 41 | const ( |
| 42 | // BastionFlag is to enable bastion, or jump host, operation |
| 43 | BastionFlag = "bastion" |
| 44 | ) |
| 45 | |
| 46 | // DefaultConfigDirectory returns the default directory of the config file |
| 47 | func DefaultConfigDirectory() string { |
| 48 | if runtime.GOOS == "windows" { |
| 49 | path := os.Getenv("CFDPATH") |
| 50 | if path == "" { |
| 51 | path = filepath.Join(os.Getenv("ProgramFiles(x86)"), "cloudflared") |
| 52 | if _, err := os.Stat(path); os.IsNotExist(err) { // doesn't exist, so return an empty failure string |
| 53 | return "" |
| 54 | } |
| 55 | } |
| 56 | return path |
| 57 | } |
| 58 | return DefaultUnixConfigLocation |
| 59 | } |
| 60 | |
| 61 | // DefaultLogDirectory returns the default directory for log files |
| 62 | func DefaultLogDirectory() string { |
| 63 | if runtime.GOOS == "windows" { |
| 64 | return DefaultConfigDirectory() |
| 65 | } |
| 66 | return DefaultUnixLogLocation |
| 67 | } |
| 68 | |
| 69 | // DefaultConfigPath returns the default location of a config file |
| 70 | func DefaultConfigPath() string { |
| 71 | dir := DefaultConfigDirectory() |
| 72 | if dir == "" { |
| 73 | return DefaultConfigFiles[0] |
| 74 | } |
| 75 | return filepath.Join(dir, DefaultConfigFiles[0]) |
| 76 | } |
| 77 | |
| 78 | // DefaultConfigSearchDirectories returns the default folder locations of the config |
| 79 | func DefaultConfigSearchDirectories() []string { |
| 80 | dirs := make([]string, len(defaultUserConfigDirs)) |
| 81 | copy(dirs, defaultUserConfigDirs) |
| 82 | if runtime.GOOS != "windows" { |
| 83 | dirs = append(dirs, defaultNixConfigDirs...) |
| 84 | } |
| 85 | return dirs |
| 86 | } |
| 87 | |
| 88 | // FileExists checks to see if a file exist at the provided path. |
| 89 | func FileExists(path string) (bool, error) { |
| 90 | f, err := os.Open(path) |
| 91 | if err != nil { |
| 92 | if os.IsNotExist(err) { |
| 93 | // ignore missing files |
| 94 | return false, nil |
| 95 | } |
| 96 | return false, err |
| 97 | } |
| 98 | _ = f.Close() |
| 99 | return true, nil |
| 100 | } |
| 101 | |
| 102 | // FindDefaultConfigPath returns the first path that contains a config file. |
| 103 | // If none of the combination of DefaultConfigSearchDirectories() and DefaultConfigFiles |
| 104 | // contains a config file, return empty string. |
| 105 | func FindDefaultConfigPath() string { |
| 106 | for _, configDir := range DefaultConfigSearchDirectories() { |
| 107 | for _, configFile := range DefaultConfigFiles { |
| 108 | dirPath, err := homedir.Expand(configDir) |
| 109 | if err != nil { |
| 110 | continue |
| 111 | } |
| 112 | path := filepath.Join(dirPath, configFile) |
| 113 | if ok, _ := FileExists(path); ok { |
| 114 | return path |
| 115 | } |
| 116 | } |
| 117 | } |
| 118 | return "" |
| 119 | } |
| 120 | |
| 121 | // FindOrCreateConfigPath returns the first path that contains a config file |
| 122 | // or creates one in the primary default path if it doesn't exist |
| 123 | func FindOrCreateConfigPath() string { |
| 124 | path := FindDefaultConfigPath() |
| 125 | |
| 126 | if path == "" { |
| 127 | // create the default directory if it doesn't exist |
| 128 | path = DefaultConfigPath() |
| 129 | if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil { |
| 130 | return "" |
| 131 | } |
| 132 | |
| 133 | // write a new config file out |
| 134 | file, err := os.Create(path) |
| 135 | if err != nil { |
| 136 | return "" |
| 137 | } |
| 138 | defer file.Close() |
| 139 | |
| 140 | logDir := DefaultLogDirectory() |
| 141 | _ = os.MkdirAll(logDir, os.ModePerm) // try and create it. Doesn't matter if it succeed or not, only byproduct will be no logs |
| 142 | |
| 143 | c := Root{ |
| 144 | LogDirectory: logDir, |
| 145 | } |
| 146 | if err := yaml.NewEncoder(file).Encode(&c); err != nil { |
| 147 | return "" |
| 148 | } |
| 149 | } |
| 150 | |
| 151 | return path |
| 152 | } |
| 153 | |
| 154 | // ValidateUnixSocket ensures --unix-socket param is used exclusively |
| 155 | // i.e. it fails if a user specifies both --url and --unix-socket |
| 156 | func ValidateUnixSocket(c *cli.Context) (string, error) { |
| 157 | if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) { |
| 158 | return "", errors.New("--unix-socket must be used exclusively.") |
| 159 | } |
| 160 | return c.String("unix-socket"), nil |
| 161 | } |
| 162 | |
| 163 | // ValidateUrl will validate url flag correctness. It can be either from --url or argument |
| 164 | // Notice ValidateUnixSocket, it will enforce --unix-socket is not used with --url or argument |
| 165 | func ValidateUrl(c *cli.Context, allowURLFromArgs bool) (*url.URL, error) { |
| 166 | var url = c.String("url") |
| 167 | if allowURLFromArgs && c.NArg() > 0 { |
| 168 | if c.IsSet("url") { |
| 169 | return nil, errors.New("Specified origin urls using both --url and argument. Decide which one you want, I can only support one.") |
| 170 | } |
| 171 | url = c.Args().Get(0) |
| 172 | } |
| 173 | validUrl, err := validation.ValidateUrl(url) |
| 174 | return validUrl, err |
| 175 | } |
| 176 | |
| 177 | type UnvalidatedIngressRule struct { |
| 178 | Hostname string `json:"hostname,omitempty"` |
| 179 | Path string `json:"path,omitempty"` |
| 180 | Service string `json:"service,omitempty"` |
| 181 | OriginRequest OriginRequestConfig `yaml:"originRequest" json:"originRequest"` |
| 182 | } |
| 183 | |
| 184 | // OriginRequestConfig is a set of optional fields that users may set to |
| 185 | // customize how cloudflared sends requests to origin services. It is used to set |
| 186 | // up general config that apply to all rules, and also, specific per-rule |
| 187 | // config. |
| 188 | // Note: |
| 189 | // - To specify a time.Duration in go-yaml, use e.g. "3s" or "24h". |
| 190 | // - To specify a time.Duration in json, use int64 of the nanoseconds |
| 191 | type OriginRequestConfig struct { |
| 192 | // HTTP proxy timeout for establishing a new connection |
| 193 | ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"` |
| 194 | // HTTP proxy timeout for completing a TLS handshake |
| 195 | TLSTimeout *CustomDuration `yaml:"tlsTimeout" json:"tlsTimeout,omitempty"` |
| 196 | // HTTP proxy TCP keepalive duration |
| 197 | TCPKeepAlive *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"` |
| 198 | // HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback |
| 199 | NoHappyEyeballs *bool `yaml:"noHappyEyeballs" json:"noHappyEyeballs,omitempty"` |
| 200 | // HTTP proxy maximum keepalive connection pool size |
| 201 | KeepAliveConnections *int `yaml:"keepAliveConnections" json:"keepAliveConnections,omitempty"` |
| 202 | // HTTP proxy timeout for closing an idle connection |
| 203 | KeepAliveTimeout *CustomDuration `yaml:"keepAliveTimeout" json:"keepAliveTimeout,omitempty"` |
| 204 | // Sets the HTTP Host header for the local webserver. |
| 205 | HTTPHostHeader *string `yaml:"httpHostHeader" json:"httpHostHeader,omitempty"` |
| 206 | // Hostname on the origin server certificate. |
| 207 | OriginServerName *string `yaml:"originServerName" json:"originServerName,omitempty"` |
| 208 | // Auto configure the Hostname on the origin server certificate. |
| 209 | MatchSNIToHost *bool `yaml:"matchSNItoHost" json:"matchSNItoHost,omitempty"` |
| 210 | // Path to the CA for the certificate of your origin. |
| 211 | // This option should be used only if your certificate is not signed by Cloudflare. |
| 212 | CAPool *string `yaml:"caPool" json:"caPool,omitempty"` |
| 213 | // Disables TLS verification of the certificate presented by your origin. |
| 214 | // Will allow any certificate from the origin to be accepted. |
| 215 | // Note: The connection from your machine to Cloudflare's Edge is still encrypted. |
| 216 | NoTLSVerify *bool `yaml:"noTLSVerify" json:"noTLSVerify,omitempty"` |
| 217 | // Disables chunked transfer encoding. |
| 218 | // Useful if you are running a WSGI server. |
| 219 | DisableChunkedEncoding *bool `yaml:"disableChunkedEncoding" json:"disableChunkedEncoding,omitempty"` |
| 220 | // Runs as jump host |
| 221 | BastionMode *bool `yaml:"bastionMode" json:"bastionMode,omitempty"` |
| 222 | // Listen address for the proxy. |
| 223 | ProxyAddress *string `yaml:"proxyAddress" json:"proxyAddress,omitempty"` |
| 224 | // Listen port for the proxy. |
| 225 | ProxyPort *uint `yaml:"proxyPort" json:"proxyPort,omitempty"` |
| 226 | // Valid options are 'socks' or empty. |
| 227 | ProxyType *string `yaml:"proxyType" json:"proxyType,omitempty"` |
| 228 | // IP rules for the proxy service |
| 229 | IPRules []IngressIPRule `yaml:"ipRules" json:"ipRules,omitempty"` |
| 230 | // Attempt to connect to origin with HTTP/2 |
| 231 | Http2Origin *bool `yaml:"http2Origin" json:"http2Origin,omitempty"` |
| 232 | // Access holds all access related configs |
| 233 | Access *AccessConfig `yaml:"access" json:"access,omitempty"` |
| 234 | } |
| 235 | |
| 236 | type AccessConfig struct { |
| 237 | // Required when set to true will fail every request that does not arrive through an access authenticated endpoint. |
| 238 | Required bool `yaml:"required" json:"required,omitempty"` |
| 239 | |
| 240 | // TeamName is the organization team name to get the public key certificates for. |
| 241 | TeamName string `yaml:"teamName" json:"teamName"` |
| 242 | |
| 243 | // AudTag is the AudTag to verify access JWT against. |
| 244 | AudTag []string `yaml:"audTag" json:"audTag"` |
| 245 | |
| 246 | Environment string `yaml:"environment" json:"environment,omitempty"` |
| 247 | } |
| 248 | |
| 249 | type IngressIPRule struct { |
| 250 | Prefix *string `yaml:"prefix" json:"prefix"` |
| 251 | Ports []int `yaml:"ports" json:"ports"` |
| 252 | Allow bool `yaml:"allow" json:"allow"` |
| 253 | } |
| 254 | |
| 255 | type Configuration struct { |
| 256 | TunnelID string `yaml:"tunnel"` |
| 257 | Ingress []UnvalidatedIngressRule |
| 258 | WarpRouting WarpRoutingConfig `yaml:"warp-routing"` |
| 259 | OriginRequest OriginRequestConfig `yaml:"originRequest"` |
| 260 | sourceFile string |
| 261 | } |
| 262 | |
| 263 | type WarpRoutingConfig struct { |
| 264 | ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"` |
| 265 | MaxActiveFlows *uint64 `yaml:"maxActiveFlows" json:"maxActiveFlows,omitempty"` |
| 266 | TCPKeepAlive *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"` |
| 267 | } |
| 268 | |
| 269 | type configFileSettings struct { |
| 270 | Configuration `yaml:",inline"` |
| 271 | // older settings will be aggregated into the generic map, should be read via cli.Context |
| 272 | Settings map[string]interface{} `yaml:",inline"` |
| 273 | } |
| 274 | |
| 275 | func (c *Configuration) Source() string { |
| 276 | return c.sourceFile |
| 277 | } |
| 278 | |
| 279 | func (c *configFileSettings) Int(name string) (int, error) { |
| 280 | if raw, ok := c.Settings[name]; ok { |
| 281 | if v, ok := raw.(int); ok { |
| 282 | return v, nil |
| 283 | } |
| 284 | return 0, fmt.Errorf("expected int found %T for %s", raw, name) |
| 285 | } |
| 286 | return 0, nil |
| 287 | } |
| 288 | |
| 289 | func (c *configFileSettings) Duration(name string) (time.Duration, error) { |
| 290 | if raw, ok := c.Settings[name]; ok { |
| 291 | switch v := raw.(type) { |
| 292 | case time.Duration: |
| 293 | return v, nil |
| 294 | case string: |
| 295 | return time.ParseDuration(v) |
| 296 | } |
| 297 | return 0, fmt.Errorf("expected duration found %T for %s", raw, name) |
| 298 | } |
| 299 | return 0, nil |
| 300 | } |
| 301 | |
| 302 | func (c *configFileSettings) Float64(name string) (float64, error) { |
| 303 | if raw, ok := c.Settings[name]; ok { |
| 304 | if v, ok := raw.(float64); ok { |
| 305 | return v, nil |
| 306 | } |
| 307 | return 0, fmt.Errorf("expected float found %T for %s", raw, name) |
| 308 | } |
| 309 | return 0, nil |
| 310 | } |
| 311 | |
| 312 | func (c *configFileSettings) String(name string) (string, error) { |
| 313 | if raw, ok := c.Settings[name]; ok { |
| 314 | if v, ok := raw.(string); ok { |
| 315 | return v, nil |
| 316 | } |
| 317 | return "", fmt.Errorf("expected string found %T for %s", raw, name) |
| 318 | } |
| 319 | return "", nil |
| 320 | } |
| 321 | |
| 322 | func (c *configFileSettings) StringSlice(name string) ([]string, error) { |
| 323 | if raw, ok := c.Settings[name]; ok { |
| 324 | if slice, ok := raw.([]interface{}); ok { |
| 325 | strSlice := make([]string, len(slice)) |
| 326 | for i, v := range slice { |
| 327 | str, ok := v.(string) |
| 328 | if !ok { |
| 329 | return nil, fmt.Errorf("expected string, found %T for %v", i, v) |
| 330 | } |
| 331 | strSlice[i] = str |
| 332 | } |
| 333 | return strSlice, nil |
| 334 | } |
| 335 | return nil, fmt.Errorf("expected string slice found %T for %s", raw, name) |
| 336 | } |
| 337 | return nil, nil |
| 338 | } |
| 339 | |
| 340 | func (c *configFileSettings) IntSlice(name string) ([]int, error) { |
| 341 | if raw, ok := c.Settings[name]; ok { |
| 342 | if slice, ok := raw.([]interface{}); ok { |
| 343 | intSlice := make([]int, len(slice)) |
| 344 | for i, v := range slice { |
| 345 | str, ok := v.(int) |
| 346 | if !ok { |
| 347 | return nil, fmt.Errorf("expected int, found %T for %v ", v, v) |
| 348 | } |
| 349 | intSlice[i] = str |
| 350 | } |
| 351 | return intSlice, nil |
| 352 | } |
| 353 | if v, ok := raw.([]int); ok { |
| 354 | return v, nil |
| 355 | } |
| 356 | return nil, fmt.Errorf("expected int slice found %T for %s", raw, name) |
| 357 | } |
| 358 | return nil, nil |
| 359 | } |
| 360 | |
| 361 | func (c *configFileSettings) Generic(name string) (cli.Generic, error) { |
| 362 | return nil, errors.New("option type Generic not supported") |
| 363 | } |
| 364 | |
| 365 | func (c *configFileSettings) Bool(name string) (bool, error) { |
| 366 | if raw, ok := c.Settings[name]; ok { |
| 367 | if v, ok := raw.(bool); ok { |
| 368 | return v, nil |
| 369 | } |
| 370 | return false, fmt.Errorf("expected boolean found %T for %s", raw, name) |
| 371 | } |
| 372 | return false, nil |
| 373 | } |
| 374 | |
| 375 | var configuration configFileSettings |
| 376 | |
| 377 | func GetConfiguration() *Configuration { |
| 378 | return &configuration.Configuration |
| 379 | } |
| 380 | |
| 381 | // ReadConfigFile returns InputSourceContext initialized from the configuration file. |
| 382 | // On repeat calls returns with the same file, returns without reading the file again; however, |
| 383 | // if value of "config" flag changes, will read the new config file |
| 384 | func ReadConfigFile(c *cli.Context, log *zerolog.Logger) (settings *configFileSettings, warnings string, err error) { |
| 385 | configFile := c.String("config") |
| 386 | if configuration.Source() == configFile || configFile == "" { |
| 387 | if configuration.Source() == "" { |
| 388 | return nil, "", ErrNoConfigFile |
| 389 | } |
| 390 | return &configuration, "", nil |
| 391 | } |
| 392 | |
| 393 | log.Debug().Msgf("Loading configuration from %s", configFile) |
| 394 | file, err := os.Open(configFile) |
| 395 | if err != nil { |
| 396 | // If does not exist and config file was not specificly specified then return ErrNoConfigFile found. |
| 397 | if os.IsNotExist(err) && !c.IsSet("config") { |
| 398 | err = ErrNoConfigFile |
| 399 | } |
| 400 | return nil, "", err |
| 401 | } |
| 402 | defer file.Close() |
| 403 | if err := yaml.NewDecoder(file).Decode(&configuration); err != nil { |
| 404 | if err == io.EOF { |
| 405 | log.Error().Msgf("Configuration file %s was empty", configFile) |
| 406 | return &configuration, "", nil |
| 407 | } |
| 408 | return nil, "", errors.Wrap(err, "error parsing YAML in config file at "+configFile) |
| 409 | } |
| 410 | configuration.sourceFile = configFile |
| 411 | |
| 412 | // Parse it again, with strict mode, to find warnings. |
| 413 | if file, err := os.Open(configFile); err == nil { |
| 414 | decoder := yaml.NewDecoder(file) |
| 415 | decoder.KnownFields(true) |
| 416 | var unusedConfig configFileSettings |
| 417 | if err := decoder.Decode(&unusedConfig); err != nil { |
| 418 | warnings = err.Error() |
| 419 | } |
| 420 | } |
| 421 | |
| 422 | return &configuration, warnings, nil |
| 423 | } |
| 424 | |
| 425 | // A CustomDuration is a Duration that has custom serialization for JSON. |
| 426 | // JSON in Javascript assumes that int fields are 32 bits and Duration fields are deserialized assuming that numbers |
| 427 | // are in nanoseconds, which in 32bit integers limits to just 2 seconds. |
| 428 | // This type assumes that when serializing/deserializing from JSON, that the number is in seconds, while it maintains |
| 429 | // the YAML serde assumptions. |
| 430 | type CustomDuration struct { |
| 431 | time.Duration |
| 432 | } |
| 433 | |
| 434 | func (s CustomDuration) MarshalJSON() ([]byte, error) { |
| 435 | return json.Marshal(s.Duration.Seconds()) |
| 436 | } |
| 437 | |
| 438 | func (s *CustomDuration) UnmarshalJSON(data []byte) error { |
| 439 | seconds, err := strconv.ParseInt(string(data), 10, 64) |
| 440 | if err != nil { |
| 441 | return err |
| 442 | } |
| 443 | |
| 444 | s.Duration = time.Duration(seconds * int64(time.Second)) |
| 445 | return nil |
| 446 | } |
| 447 | |
| 448 | func (s *CustomDuration) MarshalYAML() (interface{}, error) { |
| 449 | return s.Duration.String(), nil |
| 450 | } |
| 451 | |
| 452 | func (s *CustomDuration) UnmarshalYAML(unmarshal func(interface{}) error) error { |
| 453 | return unmarshal(&s.Duration) |
| 454 | } |
| 455 | |