fumiama/terasu-cloudflared
1
0
Fork 0
mirror of https://github.com/fumiama/terasu-cloudflared.git synced 2026-06-11 05:30:30 +08:00
Code Activity

TUN-4017: Add support for using cloudflared as a full socks proxy.

Browse Source 
To use cloudflared as a socks proxy, add an ingress on the server
side with your desired rules. Rules are matched in the order they
are added.  If there are no rules, it is an implicit allow.  If
there are rules, but no rule matches match, the connection is denied.

ingress:
  - hostname: socks.example.com
    service: socks-proxy
    originRequest:
      ipRules:
        - prefix: 1.1.1.1/24
          ports: [80, 443]
          allow: true
        - prefix: 0.0.0.0/0
          allow: false

On the client, run using tcp mode:
cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080

Set your socks proxy as 127.0.0.1:8080 and you will now be proxying
all connections to the remote machine.
This commit is contained in:
Lee Valentine
2021-03-01 16:26:37 -06:00
parent b0e69c4b8a
commit 206523344f
12 changed files with 419 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
socks/request_handler.go
View File

@@ -6,6 +6,7 @@ import (
"net"
"strings"
"github.com/cloudflare/cloudflared/ipaccess"
"github.com/rs/zerolog"
)
@@ -16,14 +17,16 @@ type RequestHandler interface {
// StandardRequestHandler implements the base socks5 command processing
type StandardRequestHandler struct {
dialer Dialer
dialer Dialer
accessPolicy *ipaccess.Policy
}
// NewRequestHandler creates a standard SOCKS5 request handler
// This handles the SOCKS5 commands and proxies them to their destination
func NewRequestHandler(dialer Dialer) RequestHandler {
func NewRequestHandler(dialer Dialer, accessPolicy *ipaccess.Policy) RequestHandler {
return &StandardRequestHandler{
dialer: dialer,
dialer: dialer,
accessPolicy: accessPolicy,
}
}
@@ -46,6 +49,25 @@ func (h *StandardRequestHandler) Handle(req *Request, conn io.ReadWriter) error
// handleConnect is used to handle a connect command
func (h *StandardRequestHandler) handleConnect(conn io.ReadWriter, req *Request) error {
if h.accessPolicy != nil {
if req.DestAddr.IP == nil {
addr, err := net.ResolveIPAddr("ip", req.DestAddr.FQDN)
if err != nil {
_ = sendReply(conn, ruleFailure, req.DestAddr)
return fmt.Errorf("unable to resolve host to confirm acceess")
}
req.DestAddr.IP = addr.IP
}
if allowed, rule := h.accessPolicy.Allowed(req.DestAddr.IP, req.DestAddr.Port); !allowed {
_ = sendReply(conn, ruleFailure, req.DestAddr)
if rule != nil {
return fmt.Errorf("Connect to %v denied due to iprule: %s", req.DestAddr, rule.String())
}
return fmt.Errorf("Connect to %v denied", req.DestAddr)
}
}
target, localAddr, err := h.dialer.Dial(req.DestAddr.Address())
if err != nil {
msg := err.Error()
@@ -110,7 +132,17 @@ func (h *StandardRequestHandler) handleAssociate(conn io.ReadWriter, req *Reques
func StreamHandler(tunnelConn io.ReadWriter, originConn net.Conn, log *zerolog.Logger) {
dialer := NewConnDialer(originConn)
requestHandler := NewRequestHandler(dialer)
requestHandler := NewRequestHandler(dialer, nil)
socksServer := NewConnectionHandler(requestHandler)
if err := socksServer.Serve(tunnelConn); err != nil {
log.Debug().Err(err).Msg("Socks stream handler error")
}
}
func StreamNetHandler(tunnelConn io.ReadWriter, accessPolicy *ipaccess.Policy, log *zerolog.Logger) {
dialer := NewNetDialer()
requestHandler := NewRequestHandler(dialer, accessPolicy)
socksServer := NewConnectionHandler(requestHandler)
if err := socksServer.Serve(tunnelConn); err != nil {