ingress

package
v0.0.0-...-0d2a7a0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 21, 2025 License: Apache-2.0 Imports: 39 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	SSHServerFlag                 = "ssh-server"
	Socks5Flag                    = "socks5"
	ProxyConnectTimeoutFlag       = "proxy-connect-timeout"
	ProxyTLSTimeoutFlag           = "proxy-tls-timeout"
	ProxyTCPKeepAliveFlag         = "proxy-tcp-keepalive"
	ProxyNoHappyEyeballsFlag      = "proxy-no-happy-eyeballs"
	ProxyKeepAliveConnectionsFlag = "proxy-keepalive-connections"
	ProxyKeepAliveTimeoutFlag     = "proxy-keepalive-timeout"
	HTTPHostHeaderFlag            = "http-host-header"
	OriginServerNameFlag          = "origin-server-name"
	MatchSNIToHostFlag            = "match-sni-to-host"
	NoTLSVerifyFlag               = "no-tls-verify"
	NoChunkedEncodingFlag         = "no-chunked-encoding"
	ProxyAddressFlag              = "proxy-address"
	ProxyPortFlag                 = "proxy-port"
	Http2OriginFlag               = "http2-origin"
)
View Source 
const (
	ServiceBastion     = "bastion"
	ServiceSocksProxy  = "socks-proxy"
	ServiceWarpRouting = "warp-routing"
)
View Source 
const (
	HelloWorldService = "hello_world"
	HelloWorldFlag    = "hello-world"
	HttpStatusService = "http_status"
)

Variables

View Source 
var (
	ErrNoIngressRules    = errors.New("The config file doesn't contain any ingress rules")
	ErrNoIngressRulesCLI = errors.New("No ingress rules were defined in provided config (if any) nor from the cli, cloudflared will return 503 for all incoming HTTP requests")

	ErrURLIncompatibleWithIngress = errors.New("You can't set the --url flag (or $TUNNEL_URL) when using multiple-origin ingress rules")
)

Functions

func ConvertToRawOriginConfig 

func ConvertToRawOriginConfig(c OriginRequestConfig) config.OriginRequestConfig

func DefaultStreamHandler 

func DefaultStreamHandler(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)

DefaultStreamHandler is an implementation of streamHandlerFunc that performs a two way io.Copy between originConn and remoteConn.

Types

type Dialer 

type Dialer struct {
	Dialer net.Dialer
}

func NewDialer 

func NewDialer(config WarpRoutingConfig) *Dialer

func (*Dialer) DialTCP 

func (d *Dialer) DialTCP(ctx context.Context, dest netip.AddrPort) (net.Conn, error)

func (*Dialer) DialUDP 

func (d *Dialer) DialUDP(dest netip.AddrPort) (net.Conn, error)

type HTTPLocalProxy 

type HTTPLocalProxy interface {
	// Handler is how cloudflared proxies eyeball requests to the local cloudflared services
	http.Handler
}

HTTPLocalProxy can be implemented by cloudflared services that want to handle incoming http requests.

type HTTPOriginProxy 

type HTTPOriginProxy interface {
	// RoundTripper is how cloudflared proxies eyeball requests to the actual origin services
	http.RoundTripper
}

HTTPOriginProxy can be implemented by origin services that want to proxy http requests.

type ICMPResponder 

type ICMPResponder interface {
	ConnectionIndex() uint8
	ReturnPacket(pk *packet.ICMP) error
	AddTraceContext(tracedCtx *tracing.TracedContext, serializedIdentity []byte)
	RequestSpan(ctx context.Context, pk *packet.ICMP) (context.Context, trace.Span)
	ReplySpan(ctx context.Context, logger *zerolog.Logger) (context.Context, trace.Span)
	ExportSpan()
}

ICMPResponder manages how to handle incoming ICMP messages coming from the origin to the edge.

type ICMPRouter 

type ICMPRouter interface {
	// Request will send an ICMP packet towards the origin with an ICMPResponder to attach to the ICMP flow for the
	// response to utilize.
	Request(ctx context.Context, pk *packet.ICMP, responder ICMPResponder) error
	// ConvertToTTLExceeded will take an ICMP packet and create a ICMP TTL Exceeded response origininating from the
	// ICMPRouter's IP interface.
	ConvertToTTLExceeded(pk *packet.ICMP, rawPacket packet.RawPacket) *packet.ICMP
}

ICMPRouter manages out-going ICMP requests towards the origin.

type ICMPRouterServer 

type ICMPRouterServer interface {
	ICMPRouter
	// Serve runs the ICMPRouter proxy origin listeners for any of the IPv4 or IPv6 interfaces configured.
	Serve(ctx context.Context) error
}

ICMPRouterServer is a parent interface over-top of ICMPRouter that allows for the operation of the proxy origin listeners.

func NewICMPRouter 

func NewICMPRouter(ipv4Addr, ipv6Addr netip.Addr, logger *zerolog.Logger, funnelIdleTimeout time.Duration) (ICMPRouterServer, error)

NewICMPRouter doesn't return an error if either ipv4 proxy or ipv6 proxy can be created. The machine might only support one of them. funnelIdleTimeout controls how long to wait to close a funnel without send/return

type Ingress 

type Ingress struct {
	// Set of ingress rules that are not added to remote config, e.g. management
	InternalRules []Rule
	// Rules that are provided by the user from remote or local configuration
	Rules    []Rule              `json:"ingress"`
	Defaults OriginRequestConfig `json:"originRequest"`
}

Ingress maps eyeball requests to origins.

func ParseIngress 

func ParseIngress(conf *config.Configuration) (Ingress, error)

ParseIngress parses ingress rules, but does not send HTTP requests to the origins.

func ParseIngressFromConfigAndCLI 

func ParseIngressFromConfigAndCLI(conf *config.Configuration, c *cli.Context, log *zerolog.Logger) (Ingress, error)

ParseIngressFromConfigAndCLI will parse the configuration rules from config files for ingress rules and then attempt to parse CLI for ingress rules. Will always return at least one valid ingress rule. If none are provided by the user, the default will be to return 503 status code for all incoming requests.

func (Ingress) CatchAll 

func (ing Ingress) CatchAll() *Rule

CatchAll returns the catch-all rule (i.e. the last rule)

func (Ingress) FindMatchingRule 

func (ing Ingress) FindMatchingRule(hostname, path string) (*Rule, int)

FindMatchingRule returns the index of the Ingress Rule which matches the given hostname and path. This function assumes the last rule matches everything, which is the case if the rules were instantiated via the ingress#Validate method.

Negative index rule signifies local cloudflared rules (not-user defined).

func (Ingress) IsEmpty 

func (ing Ingress) IsEmpty() bool

IsEmpty checks if there are any ingress rules.

func (Ingress) IsSingleRule 

func (ing Ingress) IsSingleRule() bool

IsSingleRule checks if the user only specified a single ingress rule.

func (Ingress) StartOrigins 

func (ing Ingress) StartOrigins(
	log *zerolog.Logger,
	shutdownC <-chan struct{},
) error

StartOrigins will start any origin services managed by cloudflared, e.g. proxy servers or Hello World.

type ManagementService 

type ManagementService struct {
	HTTPLocalProxy
}

ManagementService starts a local HTTP server to handle incoming management requests.

func (ManagementService) MarshalJSON 

func (o ManagementService) MarshalJSON() ([]byte, error)

func (*ManagementService) String 

func (o *ManagementService) String() string

type MockOriginHTTPService 

type MockOriginHTTPService struct {
	Transport http.RoundTripper
}

MockOriginHTTPService should only be used by other packages to mock OriginService. Set Transport to configure desired RoundTripper behavior.

func (MockOriginHTTPService) MarshalJSON 

func (mos MockOriginHTTPService) MarshalJSON() ([]byte, error)

func (MockOriginHTTPService) RoundTrip 

func (mos MockOriginHTTPService) RoundTrip(req *http.Request) (*http.Response, error)

func (MockOriginHTTPService) String 

func (mos MockOriginHTTPService) String() string

type NopReadCloser 

type NopReadCloser struct{}

func (*NopReadCloser) Close 

func (nrc *NopReadCloser) Close() error

func (*NopReadCloser) Read 

func (nrc *NopReadCloser) Read(buf []byte) (int, error)

Read always returns EOF to signal end of input

type OriginConfig 

type OriginConfig struct {
	// The default Dialer used if no reserved services are found for an origin request.
	DefaultDialer OriginDialer
	// Timeout on write operations for TCP connections to the origin.
	TCPWriteTimeout time.Duration
}

type OriginConnection 

type OriginConnection interface {
	// Stream should generally be implemented as a bidirectional io.Copy.
	Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)
	Close() error
}

OriginConnection is a way to stream to a service running on the user's origin. Different concrete implementations will stream different protocols as long as they are io.ReadWriters.

type OriginDialer 

type OriginDialer interface {
	OriginTCPDialer
	OriginUDPDialer
}

OriginDialer provides both TCP and UDP dial operations to an address.

type OriginDialerService 

type OriginDialerService struct {
	// contains filtered or unexported fields
}

OriginDialerService provides a proxy TCP and UDP dialer to origin services while allowing reserved services to be provided. These reserved services are assigned to specific [netip.AddrPort]s and provide their own OriginDialer's to handle origin dialing per protocol.

func NewOriginDialer 

func NewOriginDialer(config OriginConfig, logger *zerolog.Logger) *OriginDialerService

func (*OriginDialerService) AddReservedService 

func (d *OriginDialerService) AddReservedService(service OriginDialer, addrs []netip.AddrPort)

AddReservedService adds a reserved virtual service to dial to. Not locked and expected to be initialized before calling first dial and not afterwards.

func (*OriginDialerService) DialTCP 

func (d *OriginDialerService) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)

DialTCP will perform a dial TCP to the requested addr.

func (*OriginDialerService) DialUDP 

func (d *OriginDialerService) DialUDP(addr netip.AddrPort) (net.Conn, error)

DialUDP will perform a dial UDP to the requested addr.

func (*OriginDialerService) UpdateDefaultDialer 

func (d *OriginDialerService) UpdateDefaultDialer(dialer *Dialer)

UpdateDefaultDialer updates the default dialer.

type OriginRequestConfig 

type OriginRequestConfig struct {
	// HTTP proxy timeout for establishing a new connection
	ConnectTimeout config.CustomDuration `yaml:"connectTimeout" json:"connectTimeout"`
	// HTTP proxy timeout for completing a TLS handshake
	TLSTimeout config.CustomDuration `yaml:"tlsTimeout" json:"tlsTimeout"`
	// HTTP proxy TCP keepalive duration
	TCPKeepAlive config.CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive"`
	// HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback
	NoHappyEyeballs bool `yaml:"noHappyEyeballs" json:"noHappyEyeballs"`
	// HTTP proxy timeout for closing an idle connection
	KeepAliveTimeout config.CustomDuration `yaml:"keepAliveTimeout" json:"keepAliveTimeout"`
	// HTTP proxy maximum keepalive connection pool size
	KeepAliveConnections int `yaml:"keepAliveConnections" json:"keepAliveConnections"`
	// Sets the HTTP Host header for the local webserver.
	HTTPHostHeader string `yaml:"httpHostHeader" json:"httpHostHeader"`
	// Hostname on the origin server certificate.
	OriginServerName string `yaml:"originServerName" json:"originServerName"`
	// Auto configure the Hostname on the origin server certificate.
	MatchSNIToHost bool `yaml:"matchSNItoHost" json:"matchSNItoHost"`
	// Path to the CA for the certificate of your origin.
	// This option should be used only if your certificate is not signed by Cloudflare.
	CAPool string `yaml:"caPool" json:"caPool"`
	// Disables TLS verification of the certificate presented by your origin.
	// Will allow any certificate from the origin to be accepted.
	// Note: The connection from your machine to Cloudflare's Edge is still encrypted.
	NoTLSVerify bool `yaml:"noTLSVerify" json:"noTLSVerify"`
	// Disables chunked transfer encoding.
	// Useful if you are running a WSGI server.
	DisableChunkedEncoding bool `yaml:"disableChunkedEncoding" json:"disableChunkedEncoding"`
	// Runs as jump host
	BastionMode bool `yaml:"bastionMode" json:"bastionMode"`
	// Listen address for the proxy.
	ProxyAddress string `yaml:"proxyAddress" json:"proxyAddress"`
	// Listen port for the proxy.
	ProxyPort uint `yaml:"proxyPort" json:"proxyPort"`
	// What sort of proxy should be started
	ProxyType string `yaml:"proxyType" json:"proxyType"`
	// IP rules for the proxy service
	IPRules []ipaccess.Rule `yaml:"ipRules" json:"ipRules"`
	// Attempt to connect to origin with HTTP/2
	Http2Origin bool `yaml:"http2Origin" json:"http2Origin"`

	// Access holds all access related configs
	Access config.AccessConfig `yaml:"access" json:"access,omitempty"`
}

OriginRequestConfig configures how Cloudflared sends requests to origin services. Note: To specify a time.Duration in go-yaml, use e.g. "3s" or "24h".

type OriginService 

type OriginService interface {
	String() string

	MarshalJSON() ([]byte, error)
	// contains filtered or unexported methods
}

OriginService is something a tunnel can proxy traffic to.

type OriginTCPDialer 

type OriginTCPDialer interface {
	DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)
}

OriginTCPDialer provides a TCP dial operation to a requested address.

type OriginUDPDialer 

type OriginUDPDialer interface {
	DialUDP(addr netip.AddrPort) (net.Conn, error)
}

OriginUDPDialer provides a UDP dial operation to a requested address.

type PacketRouter 

type PacketRouter struct {
	// contains filtered or unexported fields
}

PacketRouter routes packets between Upstream and ICMPRouter. Currently it rejects all other type of ICMP packets

func NewPacketRouter 

func NewPacketRouter(icmpRouter ICMPRouter, muxer muxer, connIndex uint8, logger *zerolog.Logger) *PacketRouter

NewPacketRouter creates a PacketRouter that handles ICMP packets. Packets are read from muxer but dropped if globalConfig is nil.

func (*PacketRouter) Serve 

func (r *PacketRouter) Serve(ctx context.Context) error

type Regexp 

type Regexp struct {
	*regexp.Regexp
}

Regexp adds unmarshalling from json for regexp.Regexp

func (*Regexp) MarshalJSON 

func (r *Regexp) MarshalJSON() ([]byte, error)

type RemoteConfig 

type RemoteConfig struct {
	Ingress     Ingress
	WarpRouting WarpRoutingConfig
}

RemoteConfig models ingress settings that can be managed remotely, for example through the dashboard.

func (*RemoteConfig) UnmarshalJSON 

func (rc *RemoteConfig) UnmarshalJSON(b []byte) error

type RemoteConfigJSON 

type RemoteConfigJSON struct {
	GlobalOriginRequest *config.OriginRequestConfig     `json:"originRequest,omitempty"`
	IngressRules        []config.UnvalidatedIngressRule `json:"ingress"`
	WarpRouting         config.WarpRoutingConfig        `json:"warp-routing"`
}

type Rule 

type Rule struct {
	// Requests for this hostname will be proxied to this rule's service.
	Hostname string `json:"hostname"`

	// Path is an optional regex that can specify path-driven ingress rules.
	Path *Regexp `json:"path"`

	// A (probably local) address. Requests for a hostname which matches this
	// rule's hostname pattern will be proxied to the service running on this
	// address.
	Service OriginService `json:"service"`

	// Handlers is a list of functions that acts as a middleware during ProxyHTTP
	Handlers []middleware.Handler

	// Configure the request cloudflared sends to this specific origin.
	Config OriginRequestConfig `json:"originRequest"`
	// contains filtered or unexported fields
}

Rule routes traffic from a hostname/path on the public internet to the service running on the given URL.

func GetDefaultIngressRules 

func GetDefaultIngressRules(log *zerolog.Logger) []Rule

Gets the default ingress rule that will be return 503 status code for all incoming requests.

func NewManagementRule 

func NewManagementRule(management *management.ManagementService) Rule

func (*Rule) Matches 

func (r *Rule) Matches(hostname, path string) bool

Matches checks if the rule matches a given hostname/path combination.

func (Rule) MultiLineString 

func (r Rule) MultiLineString() string

MultiLineString is for outputting rules in a human-friendly way when Cloudflared is used as a CLI tool (not as a daemon).

type StreamBasedOriginProxy 

type StreamBasedOriginProxy interface {
	EstablishConnection(ctx context.Context, dest string, log *zerolog.Logger) (OriginConnection, error)
}

StreamBasedOriginProxy can be implemented by origin services that want to proxy ws/TCP.

type WarpRoutingConfig 

type WarpRoutingConfig struct {
	ConnectTimeout config.CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"`
	MaxActiveFlows uint64                `yaml:"maxActiveFlows" json:"MaxActiveFlows,omitempty"`
	TCPKeepAlive   config.CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"`
}

func NewWarpRoutingConfig 

func NewWarpRoutingConfig(raw *config.WarpRoutingConfig) WarpRoutingConfig

func (*WarpRoutingConfig) RawConfig 

func (c *WarpRoutingConfig) RawConfig() config.WarpRoutingConfig

type WarpRoutingService 

type WarpRoutingService struct {
	Proxy StreamBasedOriginProxy
}

WarpRoutingService starts a tcp stream between the origin and requests from warp clients.

func NewWarpRoutingService 

func NewWarpRoutingService(config WarpRoutingConfig, writeTimeout time.Duration) *WarpRoutingService

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.