cloudflare / cloudflared Goto Github PK

View Code? Open in Web Editor NEW

7.9K 97.0 698.0 37.34 MB

Cloudflare Tunnel client (formerly Argo Tunnel)

Home Page: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide

License: Apache License 2.0

Go 86.62% Cap'n Proto 0.38% HTML 5.73% JavaScript 0.16% Makefile 0.50% Dockerfile 0.10% Python 6.29% Shell 0.22%

argo-tunnel cloudflare reverse-proxy cloudflare-tunnel zero-trust-network-access

cloudflared's Introduction

Cloudflare Tunnel client

Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins. This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible. Extensive documentation can be found in the Cloudflare Tunnel section of the Cloudflare Docs. All usages related with proxying to your origins are available under cloudflared tunnel help.

You can also use cloudflared to access Tunnel origins (that are protected with cloudflared tunnel) for TCP traffic at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc. Such usages are available under cloudflared access help.

You can instead use WARP client to access private origins behind Tunnels for Layer 4 traffic without requiring cloudflared access commands on the client side.

Before you get started

Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private routing), but for legacy reasons this requirement is still necessary:

Installing `cloudflared`

Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases here on the cloudflared GitHub repository.

You can install on macOS via Homebrew or by downloading the latest Darwin amd64 release
Binaries, Debian, and RPM packages for Linux can be found here
A Docker image of cloudflared is available on DockerHub
You can install on Windows machines with the steps here
To build from source, first you need to download the go toolchain by running ./.teamcity/install-cloudflare-go.sh and follow the output. Then you can run make cloudflared

User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps

Creating Tunnels and routing traffic

Once installed, you can authenticate cloudflared into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.

Create a Tunnel with these instructions
Route traffic to that Tunnel:
- Via public DNS records in Cloudflare
- Or via a public hostname guided by a Cloudflare Load Balancer
- Or from WARP client private traffic

TryCloudflare

Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation available here.

Deprecated versions

Cloudflare currently supports versions of cloudflared that are within one year of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our developer documentation.

For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.

cloudflared's People

Contributors

Stargazers

Watchers

Forkers

vavrusa patjack ntfrnzn stephenjamieson yon2004 onehostcloud seroy debdutbiswas gangbanlau mahrud brikbrac2013 britex fishline wujcheng saugatadutta stackpointcloud zackbloom mcleut tkuennen dstockton mattf shebashllc tanner-bruce mnaser floatingatoll ericthebikeman kols yssource intika-dns-servers add1ct3d iganeshk dalavancloud scramble-suit valentingarnier mrjfox hexdra mustafakirimli adaptive sevki mozmeao jbergstroem lekensteyn paulquerna-okta cblecker jedisct1 isgasho awesome-nfv genesem attackgithub davebarrau electroid oteher altmind khawaga backwardn hazcod iblockin finalsite surfndez nfm-8 felixbuenemann carlos-diaz-freijo gravitybv melvinto klutchell fork04 pims jefferyq rueian jskeates alexanderekdahl arjuneng05 sachtony-inc jasonyongwang kitsook ryanhofer wb1t jnozsc riuvshyn mrparkerlol puiterwijk gdmajlis dstokes maef julien-vu zino-hofmann zino-app marceloalmeida fasttrack-solutions xbl3 digitalarche alexwilson dfordoom gnawhleinad ronnylt andrewpk jbampton hoexter hortocam narq

cloudflared's Issues

Use as a library inside another app

Is it possible to use cloudflared inside another app? I would like to embed the tunnel functionality inside of an inhouse dev tool

HTTP error 526 Origin SSL Certificate Error

I currently faced SSL Cetricate Error :
The origin web server does not have a valid SSL certificate.

Unable to run if macOS network device is already set to pull from local server

Hi,

Figured I would give cloudflared a go today. And after installing the service then rebooting, nothing worked.

After some trial & error, I located the issue to be that I've set the network device to use 127.0.0.1 as the resolver. And therefore it seems like the device/port is taken.

The error is as following:

~ $ sudo cloudflared
INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yaml 
INFO[0000] Build info: {GoOS:darwin GoVersion:go1.9.1 GoArch:amd64} 
INFO[0000] Version 2018.4.8                             
INFO[0000] Flags map[proxy-dns:true]                    
INFO[0000] Adding DNS upstream                           url="https://1.1.1.1/dns-query"
INFO[0000] Adding DNS upstream                           url="https://1.0.0.1/dns-query"
INFO[0000] cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/argo-tunnel/reference/service/ 
INFO[0000] Starting DNS over HTTPS proxy server          addr="dns://localhost:53"
FATA[0000] Error opening metrics server listener         error="lookup localhost on 127.0.0.1:53: read udp 127.0.0.1:49289->127.0.0.1:53: read: connection refused"

Am I understanding it wrong that I can't use cloudflared as a alternative to stubby, dnscrypt-proxy, unbound, etc.?

Running the latest version of macOS (10.13.4). And installed via brew.

Support E-SNI Suggested to add

https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

TL;DR: Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on your network from learning your browsing history. You can enable encrypted SNI today and it will automatically work with any site that supports it. Currently, that means any site hosted by Cloudflare, but we’re hoping other providers will add ESNI support soon.

Concealing Your Browsing History
Although an increasing fraction of Web traffic is encrypted with HTTPS, that encryption isn’t enough to prevent network attackers from learning which sites you are going to. It’s true that HTTPS conceals the exact page you’re going to, but there are a number of ways in which the site’s identity leaks. This can itself be sensitive information: do you want the person at the coffee shop next to you to know you’re visiting cancer.org?

There are four main ways in which browsing history information leaks to the network: the TLS certificate message,  DNS name resolution, the IP address of the server, and the TLS Server Name Indication extension. Fortunately, we’ve made good progress shutting down the first two of these: The new TLS 1.3 standard encrypts the server certificate by default and over the past several months, we’ve been exploring the use of DNS over HTTPS to protect DNS traffic. This is looking good and we are hoping to roll it out to all Firefox users over the coming months. The IP address remains a problem, but in many cases, multiple sites share the same IP address, so that leaves SNI.

Why do we need SNI anyway and why didn’t this get fixed before?
Ironically, the reason you need an SNI field is because multiple servers share the same IP address. When you connect to the server, it needs to give you the right certificate to prove that you’re connecting to a legitimate server and not an attacker. However, if there is more than one server on the same IP address, then which certificate should it choose? The SNI field tells the server which host name you are trying to connect to, allowing it to choose the right certificate. In other words, SNI helps make large-scale TLS hosting work.

We’ve known that SNI was a privacy problem from the beginning of TLS 1.3. The basic idea is easy: encrypt the SNI field (hence “encrypted SNI” or ESNI). Unfortunately every design we tried had drawbacks. The technical details are kind of complicated, but the basic story isn’t: every design we had for ESNI involved some sort of performance tradeoff and so it looked like only sites which were “sensitive” (i.e., you might want to conceal you went there) would be willing to enable ESNI. As you can imagine, that defeats the point, because if only sensitive sites use ESNI, then just using ESNI is itself a signal that your traffic demands a closer look. So, despite a lot of enthusiasm, we eventually decided to publish TLS 1.3 without ESNI.

However, at the beginning of this year, we realized that there was actually a pretty good 80-20 solution: big Content Distribution Networks (CDNs) host a lot of sites all on the same machines. If they’re willing to convert all their customers to ESNI at once, then suddenly ESNI no longer reveals  a useful signal because the attacker can see what CDN you are going to anyway. This realization broke things open and enabled a design for how to make ESNI work in TLS 1.3 (see Alessandro Ghedini’s writeup of the technical details.) Of course, this only works if you can mass-configure all the sites on a given set of servers, but that’s a pretty common configuration.

How do I get it?
This is brand-new technology and Firefox is the first browser to get it. At the moment we’re not ready to turn it on for all Firefox users. However, Nightly users can try out this enhancing feature now by performing the following steps: First, you need to make sure you have DNS over HTTPS enabled (see: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/). Once you’ve done that, you also need to set the “network.security.esni.enabled” preference in about:config to “true”). This should automatically enable ESNI for any site that supports it. Right now, that’s just Cloudflare, which has enabled ESNI for all its customers, but we’re hoping that other providers will follow them. You can go to: https://www.cloudflare.com/ssl/encrypted-sni/ to check for yourself that it’s working.

What’s Next?
During the development of TLS 1.3 we found a number of problems where network devices (typically firewalls and the like) would break when you tried to use TLS 1.3. We’ve been pretty careful about the design, but it’s possible that we’ll see similar problems with ESNI. In order to test this, we’ll be running a set of experiments over the next few months and measuring for breakage. We’d also love to hear from you: if you enable ESNI and it works or causes any problems, please let us know.

Multiple tunnels

Hi there,

So, we're slowly becoming heavy users of Argo Tunnel, especially with the SSH features that are coming up and we're slowly realizing there are use cases where we need to run multiple tunnels.

The current configuration assumes that 1 config file contains 1 tunnel only, which can be problematic because at times we want to expose the both the service (HTTP) and SSH via CloudFlare.

There's two ways that we can really do this right now:

systemd templates
This is the way that we're currently working with, it would involve a change here:

cloudflared/cmd/cloudflared/linux_service.go

Lines 43 to 59 in 4191636

 { 

 Path: "/etc/systemd/system/cloudflared.service", 

 Content: `[Unit] 

 Description=Argo Tunnel 

 After=network.target 

 [Service] 

 TimeoutStartSec=0 

 Type=notify 

 ExecStart={{ .Path }} --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --no-autoupdate 

 Restart=on-failure 

 RestartSec=5s 

 [Install] 

 WantedBy=multi-user.target 

 `, 

 },

Once that section is updated, we can use templated systemd files: https://fedoramagazine.org/systemd-template-unit-files/

This means that you can do something like systemctl start cloudflared@ssh and it will start it up by using the config file in /etc/cloudflared/ssh.yml -- this means that all you need to do is drop a file in /etc/cloudflared and then start up that unit.

config file change
This one is a bit more complex and it might be not backwards compatible but simply having the same executable create multiple tunnels might be super productive and useful. It would obviously imply a lot more work (but I don't know the internal architecture and how easy that might be).

Use-case
I know this is really important especially with pushing Argo as a VPN replacement. In our case, we want a "host" that pretty much does tunnelling for a lot of devices that can't run cloudflared. For example, iDRAC for servers, SSH for switches, etc.

The second solution is obviously way better in terms of scale and memory footprint, especially if you're in an environment where possibly you can be doing this for 200-300 hosts, 200-300 services might be really difficult to manage and a single configuration file might be much easier.

Install fail on non resolvable dependency code.cfops.it/go/brotli

Build / install on 2018.7.0 fails on non-resolvable dependency.

go get -u github.com/cloudflare/cloudflared/cmd/cloudflared
package code.cfops.it/go/brotli: unrecognized import path "code.cfops.it/go/brotli" (https fetch: Get https://code.cfops.it/go/brotli?go-get=1: dial tcp 198.41.246.191:443: i/o timeout)

EOF Error

I am running the cloudflared DNS over HTTPS proxy with pi-hole, every few hours i get the following error:

time="2018-04-19T20:46:26+02:00" level=error msg="failed to connect to an HTTPS backend \"https://1.1.1.1/dns-query\"" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: EOF"
time="2018-04-19T20:46:34+02:00" level=error msg="failed to connect to an HTTPS backend \"https://1.0.0.1/dns-query\"" error="failed to perform an HTTPS request: Post https://1.0.0.1/dns-query: EOF"

Restarting the daemon fixes the problem for a while. This error also occurs right after rebooting, again restarting the daemon seems to work for a few hours.

http panic: multiple registrations for /debug/request on mips build

I have built cloudflared using go 1.10.2 for my Ubiquiti USG (linux/mips64) and I keep running into this error (it happens with every cloudflared subcommand). Any ideas how I can resolve this?

vbash-4.1# /usr/local/bin/cloudflared service install
panic: http: multiple registrations for /debug/requests

goroutine 1 [running]:
net/http.(*ServeMux).Handle(0x1086d40, 0xa880f5, 0xf, 0xb748a0, 0xaf89c8)
        /usr/local/Cellar/go/1.10.2/libexec/src/net/http/server.go:2353 +0x2a8
net/http.(*ServeMux).HandleFunc(0x1086d40, 0xa880f5, 0xf, 0xaf89c8)
        /usr/local/Cellar/go/1.10.2/libexec/src/net/http/server.go:2368 +0x64
net/http.HandleFunc(0xa880f5, 0xf, 0xaf89c8)
        /usr/local/Cellar/go/1.10.2/libexec/src/net/http/server.go:2380 +0x5c
github.com/coredns/coredns/vendor/golang.org/x/net/trace.init.0()
        /Users/paul/go/src/github.com/coredns/coredns/vendor/golang.org/x/net/trace/trace.go:115 +0x5c

I tried building it on go darwin 1.10.2 (GOOS=linux GOARCH=mips go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared and GOOS=linux GOARCH=mips64 go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared) as well as within docker using:

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips64 go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang:9.6.2 bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang:9.6.2 bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips64 go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

Any help would be most appreciated!

git repo replacement makes forks unusable

There's probably no simple solution here :(

The replacement of the cloudflared repository with a different one under the same name means that it's no longer possible to sync any forked code

$ git merge upstream/master
fatal: refusing to merge unrelated histories

generated init script $name value order

cloudflared/cmd/cloudflare-warp/linux_service.go

Lines 93 to 94 in 96dd6cc

 cmd="{{.Path}} --config /etc/cloudflare-warp/config.yml --origincert /etc/cloudflare-warp/cert.pem --pidfile /var/run/$name.pid --autoupdate-freq 24h0m0s" 

 name=$(basename $(readlink -f $0))

The init script sets the $name variable after $cmd.

Since $cmd uses $name for the --pidfile parameter, the result is a pid file named /var/run/.pid

proxy-dns random 504

time="2018-04-13T05:46:05-04:00" level=error msg="failed to connect to an HTTPS backend \"https://1.1.1.1/dns-query\"" error="returned status code 504"
time="2018-04-13T09:22:08-04:00" level=error msg="failed to connect to an HTTPS backend \"https://1.1.1.1/dns-query\"" error="returned status code 504"

Sometimes when this occurs, it doesn't come back until I restart the cloudflared service, so I do not believe it is network related despite the 504

brew 404 error when upgrading

brew 404 error when upgrading
==> Upgrading 1 outdated package, with result: cloudflare/cloudflare/cloudflared 2018.7.3 -> 2018.8.0 ==> Upgrading cloudflare/cloudflare/cloudflared ==> Downloading https://developers.cloudflare.com/argo-tunnel/dl/cloudflared-2018.8.0-darwin-amd64.tgz

curl: (22) The requested URL returned error: 404 Error: Failed to download resource "cloudflared" Download failed: https://developers.cloudflare.com/argo-tunnel/dl/cloudflared-2018.8.0-darwin-amd64.tgz

fails to "go get" / "go install" due to coredns and caddy errors

go install -v github.com/cloudflare/cloudflared/cmd/cloudflared with result:

github.com/coredns/coredns/pb
github.com/mholt/caddy
# github.com/coredns/coredns/pb
go/src/github.com/coredns/coredns/pb/dns.pb.go:113: cannot use handler (type func("context".Context, interface {}) (interface {}, error)) as type grpc.UnaryHandler in argument to interceptor
go/src/github.com/coredns/coredns/pb/dns.pb.go:122: cannot use _DnsService_Query_Handler (type func(interface {}, "context".Context, func(interface {}) error, grpc.UnaryServerInterceptor) (interface {}, error)) as type grpc.methodHandler in field value
# github.com/mholt/caddy
go/src/github.com/mholt/caddy/plugins.go:42: undefined: sync.Map
go/src/github.com/mholt/caddy/plugins.go:275: undefined: sync.Map
go/src/github.com/mholt/caddy/plugins.go:276: undefined: sync.Map
go/src/github.com/mholt/caddy/plugins.go:293: undefined: sync.Map

uname -a is

Linux par1_origin_0 4.14.33-mainline-rev1 #1 SMP Sun Apr 8 12:40:59 UTC 2018 aarch64 aarch64 aarch64 GNU/Linux

go version is

go version go1.8.3 linux/arm64

Cross posts:

Disable / Block DNS Rebinding?

Hi,

Sadly cloudflared is doing DNS rebinding. :(

How to block?

Example of cloudflared:

nslookup a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network 192.168.10.122
Server: raspberrypi
Address: 192.168.10.122

Non-authoritative answer:
Name: a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Address: 192.168.1.27

Example of bind9 with DNS rebinding blocked:

nslookup a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Server: localhost
Address: 127.0.0.1

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network

Example of asus router with DNS rebinding blocked:

nslookup a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network 192.168.10.1
Server: router.asus.com
Address: 192.168.10.1

Non-authoritative answer:
Name: a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Address: 34.192.228.43

As you can see above, I've been able to stop DNS rebinding on most of my network. Everything but in cloudflared. :(

cloudflared is returning the fake local ip address of 192.168.1.27. :(

Thanks,

Will

Edit: net192.rebindtest.com is another good test.

Read CA root from custom location

Hi,

I'm trying to run the cloudflared on my RPI that runs Openelec. It acts as a media center box and it's always on, so it makes sense to transform it in a dhcp server + DoH.
./cloudflared proxy-dns --address 0.0.0.0
starts successfully, but when I do:
dig @192.168.1.5 cloudflare.com
I get:
ERRO[0002] failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: x509: failed to load system roots and no roots provided"

Upon reading, seems that Go is looking in specific locations for the CA root file (see https://stackoverflow.com/questions/32631289/how-to-specify-custom-ssl-roots-with-go-on-linux).
On Openelec, /etc is mounted as readonly and it is not meant to be writable. I can only write to a specific directory.

Is there any way to provide tha CA root from a different file?

Websocket support

Hi, I am running cloudflared on my Synology DS1817+ so that i can access my CCTV at home (im behind CGNAT), the live playback of video is passed over websocket along with other config.

Is there a plan to support websockets?

Problem with websockets

I have a problem using websockets with Argo.

Our application has three components

IIS7 hosting the static content (*.html, *.js, *.png, …) over HTTP (currently from my workstation) on port 8003.
Standalone application serving RESTful content over HTTP from host2 on port 1341.
Another standalone application serving streaming content over a websocket from host1 on port 7171.

As per suggestions on the forums I proxy these URLs through Nginx with the below config to provide access through a single port and altered the server JS to use the new URL scheme.

server {
    listen       80;
    server_name  localhost;

    location /ws/ {
        proxy_pass http://host1:7171;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
    location /accountant/ {
        proxy_pass http://host2:1341/;
        proxy_http_version 1.1;
    }
    location / {
        proxy_pass http://localhsot:8003;
        proxy_http_version 1.1;
    }
}

IIS7, Nginx and cloudflared are both running on my workstation for testing.

I'm seeing the browser successfully request the static and RESTfull content from the correctly rewritten external URLs, however the websocket is not being rewritten at all and is attempting to connect to ws://localhost/ws/

I would have expected the ws:// URL to be rewritten to ws(s)://my.tunnel.url/ws/

What am I doing wrong? According to the Argo docs, websockets are "fully supported".

socket: too many open files

I am attempting to get cloudflared proxy-dns to work reliably but i have come across this error

time="2018-04-16T10:44:12Z" level=error msg="failed to connect to an HTTPS backend \"https://1.1.1.1/dns-query\"" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: EOF"
time="2018-04-16T10:44:13Z" level=error msg="failed to connect to an HTTPS backend \"https://1.1.1.1/dns-query\"" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: dial tcp 1.1.1.1:443: socket: too many open files"

Looking at netstat there is a large number of sockets stuck in the CLOSE_WAIT state.

tcp      386      0 124.188.xxx.xxx:56366    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56450    1.1.1.1:443             CLOSE_WAIT
tcp      385      0 124.188.xxx.xxx:56389    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56386    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56463    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56254    1.1.1.1:443             CLOSE_WAIT
tcp      385      0 124.188.xxx.xxx:56504    1.1.1.1:443             CLOSE_WAIT
tcp      385      0 124.188.xxx.xxx:56454    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56262    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56532    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56487    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56380    1.1.1.1:443             CLOSE_WAIT
tcp      385      0 124.188.xxx.xxx:56286    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56490    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56475    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56385    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56312    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56282    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56387    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56535    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56379    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56401    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56492    1.1.1.1:443             CLOSE_WAIT
tcp      385      0 124.188.xxx.xxx:56528    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56285    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56373    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56518    1.1.1.1:443             CLOSE_WAIT
tcp      385      0 124.188.xxx.xxx:56257    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56349    1.1.1.1:443             CLOSE_WAIT
tcp      385      0 124.188.xxx.xxx:56345    1.1.1.1:443             CLOSE_WAIT
tcp      387      0 124.188.xxx.xxx:56477    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56321    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56397    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56534    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56468    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56340    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56457    1.1.1.1:443             CLOSE_WAIT
tcp      386      0 124.188.xxx.xxx:56363    1.1.1.1:443             CLOSE_WAIT

I am running this on a ubiquity edge router Lite and after looking at the ulimit is set below.

root@ubnt:~# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 1934
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 1934
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

cloudflared.log

Cannot compile on debian

Since alpine fails to build, I tried with debian.

FROM golang
WORKDIR /go/src/app
RUN apt update && apt install --yes ca-certificates \
	&& git clone https://github.com/cloudflare/cloudflared /go/src/app \
	&& go get -u all \
	&& make

Log:

Sending build context to Docker daemon   2.56kB
Step 1/7 : FROM golang AS builder
 ---> df6ac9d1bf64
Step 2/7 : WORKDIR /go/src/app
 ---> Using cache
 ---> 7a22fa1bbd1e
Step 3/7 : RUN apt update && apt install --yes ca-certificates git gcc make 	&& git clone https://github.com/cloudflare/cloudflared /go/src/app 	&& go get -u all 	&& make
 ---> Running in 01d86e12042d

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Get:1 http://security-cdn.debian.org/debian-security stretch/updates InRelease [94.3 kB]
Ign:2 http://cdn-fastly.deb.debian.org/debian stretch InRelease
Get:3 http://cdn-fastly.deb.debian.org/debian stretch-updates InRelease [91.0 kB]
Get:4 http://security-cdn.debian.org/debian-security stretch/updates/main amd64 Packages [459 kB]
Get:5 http://cdn-fastly.deb.debian.org/debian stretch Release [118 kB]
Get:6 http://cdn-fastly.deb.debian.org/debian stretch Release.gpg [2434 B]
Get:7 http://cdn-fastly.deb.debian.org/debian stretch-updates/main amd64 Packages [5152 B]
Get:8 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 Packages [7089 kB]
Fetched 7859 kB in 5s (1531 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
All packages are up to date.

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
ca-certificates is already the newest version (20161130+nmu1+deb9u1).
gcc is already the newest version (4:6.3.0-4).
git is already the newest version (1:2.11.0-3+deb9u4).
make is already the newest version (4.1-9.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Cloning into '/go/src/app'...
# app/cmd/cloudflared/access
cmd/cloudflared/access/carrier.go:24:44: cannot use c (type *"app/vendor/gopkg.in/urfave/cli.v2".Context) as type *"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context in argument to config.ValidateUrl
# app/tlsconfig
tlsconfig/certreloader.go:52:19: cannot use log.JSONFormatter literal (type *log.JSONFormatter) as type "app/vendor/github.com/sirupsen/logrus".Formatter in argument to "app/vendor/github.com/sirupsen/logrus".SetFormatter:
	*log.JSONFormatter does not implement "app/vendor/github.com/sirupsen/logrus".Formatter (wrong type for Format method)
		have Format(*"github.com/cloudflare/cloudflared/vendor/github.com/sirupsen/logrus".Entry) ([]byte, error)
		want Format(*"app/vendor/github.com/sirupsen/logrus".Entry) ([]byte, error)
# app/tunnelrpc/pogs
tunnelrpc/pogs/tunnelrpc.go:22:55: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Insert
tunnelrpc/pogs/tunnelrpc.go:27:59: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Extract
tunnelrpc/pogs/tunnelrpc.go:40:59: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Insert
tunnelrpc/pogs/tunnelrpc.go:45:63: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Extract
tunnelrpc/pogs/tunnelrpc.go:65:60: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Insert
tunnelrpc/pogs/tunnelrpc.go:70:64: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Extract
tunnelrpc/pogs/tunnelrpc.go:84:51: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Insert
tunnelrpc/pogs/tunnelrpc.go:89:55: cannot use s.Struct (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Struct) as type "app/vendor/zombiezen.com/go/capnproto2".Struct in argument to pogs.Extract
tunnelrpc/pogs/tunnelrpc.go:124:14: cannot use p.Options (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".CallOptions) as type "app/vendor/zombiezen.com/go/capnproto2".CallOptions in argument to "app/vendor/zombiezen.com/go/capnproto2/server".Ack
tunnelrpc/pogs/tunnelrpc.go:138:14: cannot use p.Options (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".CallOptions) as type "app/vendor/zombiezen.com/go/capnproto2".CallOptions in argument to "app/vendor/zombiezen.com/go/capnproto2/server".Ack
tunnelrpc/pogs/tunnelrpc.go:138:14: too many errors
# app/cmd/cloudflared
cmd/cloudflared/main.go:54:13: cannot use tunnel.Before (type func(*"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context) error) as type "app/vendor/gopkg.in/urfave/cli.v2".BeforeFunc in assignment
cmd/cloudflared/main.go:66:4: cannot use updater.Update (type func(*"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context) error) as type "app/vendor/gopkg.in/urfave/cli.v2".ActionFunc in field value
cmd/cloudflared/main.go:76:15: cannot use tunnel.Commands() (type []*"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Command) as type []*"app/vendor/gopkg.in/urfave/cli.v2".Command in append
cmd/cloudflared/main.go:77:15: cannot use access.Commands() (type []*"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Command) as type []*"app/vendor/gopkg.in/urfave/cli.v2".Command in append
cmd/cloudflared/main.go:83:15: cannot use append(flags, access.Flags()...) (type []"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Flag) as type []"app/vendor/gopkg.in/urfave/cli.v2".Flag in return argument
cmd/cloudflared/main.go:91:55: cannot use c (type *"app/vendor/gopkg.in/urfave/cli.v2".Context) as type *"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context in argument to tunnel.StartServer
# app/cmd/cloudflared/tunnel
cmd/cloudflared/tunnel/cmd.go:75:4: cannot use tunneldns.Run (type func(*"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context) error) as type "app/vendor/gopkg.in/urfave/cli.v2".ActionFunc in field value
cmd/cloudflared/tunnel/cmd.go:119:29: cannot use c (type *"app/vendor/gopkg.in/urfave/cli.v2".Context) as type *"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context in argument to sqlgateway.StartProxy
cmd/cloudflared/tunnel/cmd.go:238:24: cannot use logger (type *"github.com/cloudflare/cloudflared/vendor/github.com/sirupsen/logrus".Logger) as type *"app/vendor/github.com/sirupsen/logrus".Logger in argument to initLogFile
cmd/cloudflared/tunnel/cmd.go:266:32: cannot use c (type *"app/vendor/gopkg.in/urfave/cli.v2".Context) as type *"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context in argument to updater.IsAutoupdateEnabled
cmd/cloudflared/tunnel/cmd.go:271:62: cannot use &listeners (type *"app/vendor/github.com/facebookgo/grace/gracenet".Net) as type *"github.com/cloudflare/cloudflared/vendor/github.com/facebookgo/grace/gracenet".Net in argument to updater.Autoupdate
cmd/cloudflared/tunnel/cmd.go:332:42: cannot use logger (type *"github.com/cloudflare/cloudflared/vendor/github.com/sirupsen/logrus".Logger) as type *"app/vendor/github.com/sirupsen/logrus".Logger in argument to prepareTunnelConfig
cmd/cloudflared/tunnel/cmd.go:350:51: cannot use c (type *"app/vendor/gopkg.in/urfave/cli.v2".Context) as type *"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context in argument to config.FindInputSourceContext
cmd/cloudflared/tunnel/cmd.go:355:39: cannot use inputSource (type "github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2/altsrc".InputSourceContext) as type "app/vendor/gopkg.in/urfave/cli.v2/altsrc".InputSourceContext in argument to "app/vendor/gopkg.in/urfave/cli.v2/altsrc".ApplyInputSourceValues:
	"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2/altsrc".InputSourceContext does not implement "app/vendor/gopkg.in/urfave/cli.v2/altsrc".InputSourceContext (wrong type for Generic method)
		have Generic(string) ("github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Generic, error)
		want Generic(string) ("app/vendor/gopkg.in/urfave/cli.v2".Generic, error)
cmd/cloudflared/tunnel/configuration.go:158:38: cannot use c (type *"app/vendor/gopkg.in/urfave/cli.v2".Context) as type *"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context in argument to config.ValidateUrl
cmd/cloudflared/tunnel/configuration.go:206:51: cannot use c (type *"app/vendor/gopkg.in/urfave/cli.v2".Context) as type *"github.com/cloudflare/cloudflared/vendor/gopkg.in/urfave/cli.v2".Context in argument to tlsconfig.CreateTunnelConfig
cmd/cloudflared/tunnel/configuration.go:206:51: too many errors
# app/origin
origin/tunnel.go:311:31: cannot use tunnelrpc.NewTransportLogger(config.Logger.WithField("subsystem", "rpc-register"), "app/vendor/zombiezen.com/go/capnproto2/rpc".StreamTransport(stream)) (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport) as type "app/vendor/zombiezen.com/go/capnproto2/rpc".Transport in argument to "app/vendor/zombiezen.com/go/capnproto2/rpc".NewConn:
	"github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport does not implement "app/vendor/zombiezen.com/go/capnproto2/rpc".Transport (wrong type for RecvMessage method)
		have RecvMessage("context".Context) ("github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
		want RecvMessage("context".Context) ("app/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
origin/tunnel.go:311:55: cannot use config.Logger.WithField("subsystem", "rpc-register") (type *"app/vendor/github.com/sirupsen/logrus".Entry) as type *"github.com/cloudflare/cloudflared/vendor/github.com/sirupsen/logrus".Entry in argument to tunnelrpc.NewTransportLogger
origin/tunnel.go:311:105: cannot use "app/vendor/zombiezen.com/go/capnproto2/rpc".StreamTransport(stream) (type "app/vendor/zombiezen.com/go/capnproto2/rpc".Transport) as type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport in argument to tunnelrpc.NewTransportLogger:
	"app/vendor/zombiezen.com/go/capnproto2/rpc".Transport does not implement "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport (wrong type for RecvMessage method)
		have RecvMessage("context".Context) ("app/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
		want RecvMessage("context".Context) ("github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
origin/tunnel.go:312:20: cannot use tunnelrpc.ConnLog(config.Logger.WithField("subsystem", "rpc-transport")) (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".ConnOption) as type "app/vendor/zombiezen.com/go/capnproto2/rpc".ConnOption in argument to "app/vendor/zombiezen.com/go/capnproto2/rpc".NewConn
origin/tunnel.go:312:44: cannot use config.Logger.WithField("subsystem", "rpc-transport") (type *"app/vendor/github.com/sirupsen/logrus".Entry) as type *"github.com/cloudflare/cloudflared/vendor/github.com/sirupsen/logrus".Entry in argument to tunnelrpc.ConnLog
origin/tunnel.go:315:43: cannot use conn.Bootstrap(ctx) (type "app/vendor/zombiezen.com/go/capnproto2".Client) as type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Client in field value:
	"app/vendor/zombiezen.com/go/capnproto2".Client does not implement "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Client (wrong type for Call method)
		have Call(*"app/vendor/zombiezen.com/go/capnproto2".Call) "app/vendor/zombiezen.com/go/capnproto2".Answer
		want Call(*"github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Call) "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2".Answer
origin/tunnel.go:385:31: cannot use tunnelrpc.NewTransportLogger(logger.WithField("subsystem", "rpc-unregister"), "app/vendor/zombiezen.com/go/capnproto2/rpc".StreamTransport(stream)) (type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport) as type "app/vendor/zombiezen.com/go/capnproto2/rpc".Transport in argument to "app/vendor/zombiezen.com/go/capnproto2/rpc".NewConn:
	"github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport does not implement "app/vendor/zombiezen.com/go/capnproto2/rpc".Transport (wrong type for RecvMessage method)
		have RecvMessage("context".Context) ("github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
		want RecvMessage("context".Context) ("app/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
origin/tunnel.go:385:48: cannot use logger.WithField("subsystem", "rpc-unregister") (type *"app/vendor/github.com/sirupsen/logrus".Entry) as type *"github.com/cloudflare/cloudflared/vendor/github.com/sirupsen/logrus".Entry in argument to tunnelrpc.NewTransportLogger
origin/tunnel.go:385:100: cannot use "app/vendor/zombiezen.com/go/capnproto2/rpc".StreamTransport(stream) (type "app/vendor/zombiezen.com/go/capnproto2/rpc".Transport) as type "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport in argument to tunnelrpc.NewTransportLogger:
	"app/vendor/zombiezen.com/go/capnproto2/rpc".Transport does not implement "github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/rpc".Transport (wrong type for RecvMessage method)
		have RecvMessage("context".Context) ("app/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
		want RecvMessage("context".Context) ("github.com/cloudflare/cloudflared/vendor/zombiezen.com/go/capnproto2/std/capnp/rpc".Message, error)
origin/tunnel.go:386:37: cannot use logger.WithField("subsystem", "rpc-transport") (type *"app/vendor/github.com/sirupsen/logrus".Entry) as type *"github.com/cloudflare/cloudflared/vendor/github.com/sirupsen/logrus".Entry in argument to tunnelrpc.ConnLog
origin/tunnel.go:385:31: too many errors
The command '/bin/sh -c apt update && apt install --yes ca-certificates git gcc make 	&& git clone https://github.com/cloudflare/cloudflared /go/src/app 	&& go get -u all 	&& make' returned a non-zero code: 2

So basically any means of compiling on docker is failing. What are we doing wrong?

brew failure again

I have the latest MacOS Mojave 10.14

It seems to be complaining about Xcode version not being Xcode 10.
I assume i MUST upgrade ?

x-MacBook-Pro:~ apple$ brew upgrade
==> Upgrading 5 outdated packages:
cloudflare/cloudflare/cloudflared 2018.8.0 -> 2018.10.3, flatbuffers 1.9.0 -> 1.10.0, node 10.11.0 -> 10.12.0, bitrise 1.22.0 -> 1.23.0, git 2.19.0_1 -> 2.19.1
==> Upgrading cloudflare/cloudflare/cloudflared 
Error: Your Xcode (9.2) is too outdated.
Please update to Xcode 10.0 (or delete it).
Xcode can be updated from the App Store.

Auto update service is not enabled by default

Hi! After installing cloudflared as a service two systemd files related to the auto update function are created, "cloudflared-update.service" and "cloudflared-update.timer". The intended behavior here is for the user to enable them manually, if the auto update function is desired, or it should be on by default?

always get 502

the curl http://name.myhost.com is fine

but when I visit it in browser, I will get a 502 error

PS:
I use the latest Argo client .2018-07-03

Using argo with a React web application

trying to figure out how this would work with a web application using React and figured someone has encountered this. Any ideas? Would love to contribute an example of this sort of setup.

stopped resolving, "failed to perform an HTTPS request"

cloudflared version 2018.10.0 (built 2018-10-04-2150 UTC)

At some point clodflared stops forwarding requests, syslog is full of messages like these:

`Oct 5 20:25:03 localhost cloudflared[4488]: time="2018-10-05T20:25:03+03:00" level=error msg="failed to connect to an HTTPS backend "https://1.0.0.1/dns-query\"" error="failed to perform an HTTPS request: Post https://1.0.0.1/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"

Oct 5 20:25:03 localhost cloudflared[4488]: time="2018-10-05T20:25:03+03:00" level=error msg="failed to connect to an HTTPS backend "https://1.1.1.1/dns-query\"" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: read tcp 192.168.1.5:60834->1.1.1.1:443: read: connection reset by peer"`

Happened multiple times, on a previous version as well. Service restart helps.

Ability to integrate ad blocking?

Like using https://github.com/notracking/hosts-blocklists with dnsmasq?

thanks!

notes for installing on a Ubiquiti Edgerouter 4

First, download and build cloudflared with mips64 (not covering go environment setup here)

Note: mips64 is used for the ER-4, other routers may use different architectures

# download src
go get -d github.com/cloudflare/cloudflared/cmd/cloudflared
# cross compile for linux and mips64
GOOS=linux GOARCH=mips64 go build github.com/cloudflare/cloudflared/cmd/cloudflared
# copy the binary to your router
scp <gobindir>/cloudflared <user>@<router>:

ssh to your router

# need root
sudo -i
# change ownersship of the binary
chown root:root cloudflared
# change permissions to allow execution
chmod +x cloudflared
# mv the binary to /usr/local/bin
mv cloudflared /usr/local/bin/
# create the cloudflared config directory
mkdir /etc/cloudflared

add config.yml to /etc/cloudflared (setting the proxy-dns-port to an available port on your router you know you won't use for anything else)

proxy-dns: true
proxy-dns-upstream:
 - https://1.1.1.1/dns-query
 - https://1.0.0.1/dns-query
proxy-dns-port: 8853

install the default init script

/usr/local/bin/cloudflared service install

Since we are using mips64, you'll want to disable auto update by replacing the cmd line with

cmd="/usr/local/bin/cloudflared --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --pidfile /var/run/$name.pid --no-autoupdate"

Start the cloudflared service

/etc/init.d/cloudflared start

Finally for your router configuration,

# use dnsmasq (see https://help.ubnt.com/hc/en-us/articles/115002673188-EdgeRouter-Using-dnsmasq-for-DHCP-Server)
# enable the dnsmasq dhcp server
set service dhcp-server use-dnsmasq enable 
# set the router's name server
set system name-server 127.0.0.1
# set the default listen device
set service dns forwarding listen-on eth1
# set a default dns name for your local network
set system domain-name home.local 
# set your forwarding dns to the cloudflared port
set service dns forwarding options server=127.0.0.1#8853
commit
save
exit

Test if it works!

Refactor to separate command from library functions

I would like to propose refactoring the repository so that most of the logic is moved out of the main package and into a new package called warp or cfwarp.

That way, the main package can call library functions to log in, start the server/tunnel, etc, as would a Caddy plugin or k8s ingress controller, without duplicating code.

I'm starting on this locally already, and if I can get it working I'll submit a PR.

Ability to bind on more than one interface or ip possible?

I saw in the example binding to localhost. I'm trying to figure out how to bind to multiple interfaces as dnsmasq can do, i.e., eth0, tun0, etc.., or to listen on all ip's. thx!

"Error validating url" "please specific an origin URL" in version 2018.8.0

2018.7.3 works:

C:\dev>cloudflared.exe --hostname console.nativedrive.com http://localhost:5000
WARN[0000] Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /usr/local/etc/cloudflared /etc/cloudflared]
INFO[0000] Build info: {GoOS:windows GoVersion:go1.9.3 GoArch:amd64}
INFO[0000] Version 2018.7.3
INFO[0000] Flags map[hostname:console.nativedrive.com]
INFO[0000] cloudflared will not automatically update on Windows systems.
INFO[0000] Starting metrics server                       addr="127.0.0.1:49698"
INFO[0000] Proxying tunnel requests to http://localhost:5000
INFO[0000] Connected to LAX

2018.8.0 does not work:

C:\dev>cloudflared.exe --hostname console.nativedrive.com http://localhost:5000
WARN[0000] Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /usr/local/etc/cloudflared /etc/cloudflared]
INFO[0000] Build info: {GoOS:windows GoVersion:go1.9.3 GoArch:amd64}
INFO[0000] Version 2018.8.0
INFO[0000] Flags map[hostname:console.nativedrive.com]
INFO[0000] cloudflared will not automatically update on Windows systems.
INFO[0000] Starting metrics server                       addr="127.0.0.1:50002"
ERRO[0000] Error validating url                          error="Please specify an origin URL."

Allow connections to backends without SSL verification

While far from ideal, it is sometimes useful to tunnel to internal devices with certificates that you do not control. A specific option to skip SSL verification would permit bypassing errors like this:

ERRO[0054] HTTP request error connectionID=2 error="x509: certificate has expired or is not yet valid"

POST requests without body

Critical bug in last version:

$cloudflared --version
cloudflared version 2018.5.6 (built 2018-05-23-1637 UTC)

POST data not sended via cloudflared tunnel.
To reproduce:

run simple HTTP echo server, that prints request, for example reflect.py

$python reflect.py 
Listening on localhost:8080

run cloudflare tunnel

cloudflared --url 127.0.0.1:8080 --hostname test.mydomain.com

make POST request using curl

$curl -d "foo=bar" -X POST http://test.mydomain.com/

In output no POST data:

----- Request Start ----->

/
Host: test.mydomain.com
User-Agent: curl/7.47.0
Transfer-Encoding: chunked
Accept: */*
Accept-Encoding: gzip
Cf-Connecting-Ip: 88.99.101.9
Cf-Ipcountry: DE
Cf-Ray: 422905cd04839712-FRA
Cf-Visitor: {"scheme":"http"}
Cf-Warp-Tag-Id: 348edf65566712c60e5cefe3c2fe0a40426138d7f7e37a3f989f79d192144990
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 88.99.101.9
X-Forwarded-Proto: http


<----- Request End -----

127.0.0.1 - - [29/May/2018 15:39:14] "POST / HTTP/1.1" 200 -

If make request on localhost, then output contains POST data

curl -d "foo=bar" -X POST http://localhost:8080/

----- Request Start ----->

/
Host: localhost:8080
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded

foo=bar
<----- Request End -----

127.0.0.1 - - [29/May/2018 15:50:39] "POST / HTTP/1.1" 200 -

problems installing cloudflared on ubuntu

Running ubuntu 18.04.

I tried to follow the instructions at here however they didn't work

First I got an error installing the service:

~ 130 11.99s ➤  sudo cloudflared service install
INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yaml 
INFO[0000] Failed to copy user configuration. Before running the service, ensure that /etc/cloudflared contains two files, cert.pem and config.yml  error="open /usr/local/etc/cloudflared/cert.pem: no such file or directory"

Which I fixed with sudo cp /etc/cloudflared/cert.pem /usr/local/etc/cloudflared/cert.pem

Then I got an error while starting the service, which included

time="2018-04-09T11:51:57+01:00" level=info msg="Cannot load configuration from /etc/cloudflared/config.yml" error="Unable to load

Which I in turn fixed with with sudo cp /usr/local/etc/cloudflared/config.yaml /etc/cloudflared/config.yml.

The service then runs fine.

Looking back on this I guess the overall problem is that /usr/local/etc/cloudflared/ should actually be /etc/cloudflared/ in the instructions, that would also avoid the mkdir command as /etc/cloudflared/ already exists.

Distribute multiple Cloudflared releases (Previous and latest release)

As known it is only possible to download the latest version of Cloudflared
https://developers.cloudflare.com/argo-tunnel/downloads/

Please distribute multiple Cloudflared releases.
Both the previous and the latest release.

So you can easily switch back to the previous release in case of problems like #23

Cloudflared dns over https does not support e-sni

cloudflared proxy-dns --port 53 --upstream https://cloudflare-dns.com/dns-query

My catching content is as follows：

go get in alpine fails

When trying to get the cloudfared github.com repository through go in an alpine docker container I get this error;

$ go get -v github.com/cloudflare/cloudflared/cmd/cloudflared
...
# github.com/cloudflare/cloudflared/tunneldns
src/github.com/cloudflare/cloudflared/tunneldns/metrics.go:39:13: not enough arguments in call to vars.Report
	have (request.Request, string, string, int, time.Time)
	want ("context".Context, request.Request, string, string, int, time.Time)
The command '/bin/sh -c apk update; 	apk add git;	go get -v github.com/cloudflare/cloudflared/cmd/cloudflared' returned a non-zero code: 2

The full log can be found on https://travis-ci.org/visibilityspots/dockerfile-cloudflared/jobs/370010829

411 Length Required

Client proxy get no problem , when I try to post some data , show me

Length Required

A request of the requested method POST requires a valid Content-length.
Apache Server at Port 80

Config.yml As below

hostname: www.**.org
url: http://192.168.88.188

Clarification of redistribution/license terms for source code/binaries

Hi,

I'd like to package cloudflared for NixOS, which is a very unusual Linux distribution that tends to compile everything from source where possible (for a number of reasons, but not just because we enjoy it -- though proprietary binaries are sometimes workable). In particular, each package in NixOS, when built, is stored and served over a big HTTP cache[1]. This means we do the packaging on our servers and ship the binary artifacts (made by us) to users.

However, like most distributions, we keep track of licenses, and we do not (by default) allow usage of non-free software, which we mark as license = unfree. There are two "tiers" of unfree packages in NixOS: unfree, which prohibits usage by default, and does not build copies of the objects in the HTTP cache, and unfreeRedistributable, which is legally not free software, but can have the binary results redistributed.

The LICENSE file for cloudflared pretty clearly indicates the software isn't free software (under any libre/OSI approved terms), but I'm more wondering about the terms of redistribution:

Am I allowed to redistribute the binary downloads that you provide? i.e. can we download the binaries CloudFlare provides, and re-host them for our users? If so, what are the terms of distribution for that binary? e.g. it must be completely un-modified from the original, etc
Is it a violation of the terms to compile the (unmodified) code from source and use that to interact with CloudFlare? If it is not a violation, can we distribute the resulting binary?
If we must use the original binary, does the user of the binary have to accept any provided terms to download it? E.g. Oracle requires you to agree to terms before downloading OracleJDK. In practice cloudflared can just be downloaded by anyone and the documentation makes no indication that there are any restrictions on who downloads it, but this is also maybe worth clarifying.

I'm not a laywer, so these questions may be obvious to someone, but that someone isn't me.

The questions are a bit complicated; in particular, the ideal case would be "You can compile the source and redistribute the binary artifacts from that source code, under the same license as provided", re: question 2. This would mean NixOS could simply mark this package as unfreeRedistributable and still serve binaries for our users when they wanted it.

If source code isn't allowed, the binary case is a bit more complicated. Most licenses require "non-modification" of the binaries, but for proprietary binaries they often have to have their ELF headers modified on NixOS to work properly. This may not be the case with cloudflared (static Go binary), but it's still worth clarifying I think. (As an example, Nvidia distributes proprietary binary drivers that you can redistribute but only if they're unmodified. This is fine for some Linux distros, but not for us, because we have to modify the binary ELF headers. This means the Nvidia driver packages for NixOS are unfree, not unfreeRedistributable, because we would otherwise violate the terms).

The third case is an extension of case 2: if the original binary must be used, there's a question of whether any terms must be accepted to download it. This is also handled in NixOS separately; for example, some unfree packages do not require any explicit agreement to actually download the binary; the license simply doesn't allow you (a 3rd party) to redistribute the binary, so end-users have to download it themselves. An example of this is the Nvidia NCCL library. When a user installs it, they will 'build' the package themselves, and during that time, the binaries will be downloaded automatically. On the other hand, some package not only do not allow redistribution, they also require an explicit agreement with the user, like OracleJDK. In this case on NixOS, not only does the user have to 'build' the package themselves when they try to install it, they also have to manually download the binary first (through a web browser) and "add it" to their system so it can be built. (In other words, our tools can't "automatically" accept the license on their behalf, which is fairly standard).

At the end of the day, cloudflared in NixOS can be simply marked as unfree which is the most restrictive license in NixOS, and end-users would have to compile it themselves, removing us from the loop. The only relevant question then, is question 3 -- whether or not the binary can be downloaded without an agreement on behalf of the user. In this case, everything here seems to indicate that no agreement for download is necessary, which is nice, but that's not fully clear to me.

I don't expect there to be any good, easy answers to these questions without your legal team getting involved. Also, talking to your legal team is probably not your good idea of 'fun', so I understand if this clarification isn't the highest priority (though that's how life is sometimes).

This wouldn't be the end of the world, although it may be a bit unfortunate for the few people who need it. However, these terms may be worth clarifying for others too.

[1] Sadly we do not use CloudFlare for our cache -- but I imagine you probably don't want terabytes of ELF binaries clogging your CDN/cache layers. :)

Using the hidden resolver with proxy-dns yeilds errors

If you follow the instructions from https://blog.cloudflare.com/welcome-hidden-resolver/ everything seems to work, but socat and cloduflared both produce a bunch of errors.

Steps to reproduce:

Host: Fedora 28
Tor: Tor version 0.3.2.10 (git-31cc63deb69db819).
socat:

alc@am1m-s2h ~ % socat -V
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.2 on Feb  9 2018 23:25:47
   running on Linux version #1 SMP Tue Jul 3 14:06:39 UTC 2018, release 4.17.4-200.fc28.x86_64, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #undef WITH_LIBWRAP
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

cloudflared: cloudflared version 2018.7.2 (built 2018-07-13-1701 UTC)

have tor running
make sure you have 127.0.0.1 dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion in your /etc/hosts
Enter into a terminal:

socat TCP4-LISTEN:443,reuseaddr,fork SOCKS4A:127.0.0.1:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:443,socksport=9150

Enter into another terminal:

$ cloudflared proxy-dns --upstream "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"

At another terminal, do:

$ dig @127.0.0.1 www.google.com

You'll get back an empty result from dig:

alc@am1m-s2h ~ % dig @localhost www.google.com

; <<>> DiG 9.11.3-RedHat-9.11.3-12.fc28 <<>> @localhost www.google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37990
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9e84201c1387408a (echoed)
;; QUESTION SECTION:
;www.google.com.			IN	A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 13 20:41:28 EDT 2018
;; MSG SIZE  rcvd: 55

dig seems to be able to try to make a request, but the result is just empty.

`socat` error:

2018/07/13 20:42:37 socat[30223] E connect(5, AF=2 127.0.0.1:9150, 16): Connection refused

`cloudflared` error:

error="failed to perform an HTTPS request: Post https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query: EOF"

Add DNS over HTTP/2 Stub Resolver

Create an option for argo tunnel to start up as DNS stub resolver.

Design

Locally-running application that listens on localhost on a specific port and accepts incoming DNS requests
Queries are sent to Cloudflare's resolver via the DoH protocol and responses to the application as DNS messages

Required

Option to run independently and in parallel to existing warp functionality.
Option to set an IP (IPv4/IPv6) and a port.
Expose metrics via existing prometheus metrics exporter
Defaults to https://dns.cloudflare.com/.well-known/dns-query

Nice to have

Caching
Similar fallback option to Firefox.

race OS vs TRR in parallel and take the faster one
TRR first.. generally use TRR and only go to the native resolver for resolution of trr fails.
TRR only.. like first, but never fallback
Shadow mode.. like race but always use OS result. (this is how we will do the initial tests)

If you are using mode 3 you have a bootstrap problem connecting to the DoH endpoint (in the other modes the bootstrap falls back to native dns) but you can use the network.trr.bootstrapAddress configuration field to "pre-resolve" the IP address of the DoH server (or you could use an IP based cert I suppose).

How to tunnel non-HTTP traffic such as RTMP?

Thanks.

Websocket header host bug

Host header is set to value from option --url in cloudflared for ws requests. I believie it's a bug since it's setting Host header to --hostname for http/https requests.

Showcase: https://github.com/elderapo/cloudflare-ws-bug

Windows - cloudflared as a service (starts on user login) for DoH don't work

I have followed this guide: https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/ for setup DNS over HTTPS Client on my Windows 10 desktop.

C:\WINDOWS\system32>where cloudflared
C:\cloudflared-stable-windows-amd64\cloudflared.exe

C:\WINDOWS\system32>cloudflared --version
cloudflared version 2018.10.3 (built 2018-10-10-2045 UTC)

C:\WINDOWS\system32>cloudflared proxy-dns
INFO[0000] Applied configuration from C:\Users\Arnaud\.cloudflared\config.yml
INFO[0000] Adding DNS upstream                           url="https://1.1.1.1/dns-query"
INFO[0000] Adding DNS upstream                           url="https://1.0.0.1/dns-query"
INFO[0000] Starting metrics server                       addr="127.0.0.1:58086"
INFO[0000] Starting DNS over HTTPS proxy server          addr="dns://localhost:53"

C:\WINDOWS\system32>cloudflared service install
INFO[0000] Applied configuration from C:\Users\Arnaud\.cloudflared\config.yml
INFO[0000] Installing Argo Tunnel Windows service
INFO[0000] Argo Tunnel agent service is installed

C:\WINDOWS\system32>sc start cloudflared

SERVICE_NAME: cloudflared
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 13248
        FLAGS              :

cloudflared.exe is installed to C:\cloudflared-stable-windows-amd64 and C:\cloudflared-stable-windows-amd64 is added as environment variable of Path.
I execute these commands from cmd.exe run as Administrator.

My config.yml is in %UserProfile%/.cloudflared:

proxy-dns: true
proxy-dns-upstream:
 - https://1.1.1.1/dns-query
 - https://1.0.0.1/dns-query

cloudflared proxy-dns work as expected I launched WSL (Ubuntu 18.04) and do dig +short @127.0.0.1 cloudflare.com AAAA:

oxynux@oxynux-desktop:~$ dig +short @127.0.0.1 cloudflare.com AAAA
2400:cb00:2048:1::c629:d7a2
2400:cb00:2048:1::c629:d6a2

But after sc start cloudflared the service don't start at all and dig +short @127.0.0.1 cloudflare.com AAAA don't work:

C:\WINDOWS\system32>sc query cloudflared

SERVICE_NAME: cloudflared
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1066  (0x42a)
        SERVICE_EXIT_CODE  : 1  (0x1)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

oxynux@oxynux-desktop:~$ dig +short @127.0.0.1 cloudflare.com AAAA
;; connection timed out; no servers could be reached

How can I work around this and configure cloudflared to starts on user login on Windows ?

Segmentation fault on raspberry pi 2 model b

File downloaded from https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz

pi@raspberrypi:~ $ ./cloudflared -v
Segmentation fault

pi@raspberrypi:~ $ uname -a 
Linux raspberrypi 4.14.52+ #1123 Wed Jun 27 17:05:32 BST 2018 armv6l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID:	Raspbian
Description:	Raspbian GNU/Linux 9.4 (stretch)
Release:	9.4
Codename:	stretch
pi@raspberrypi:~ $ cat /proc/cpuinfo 
processor	: 0
model name	: ARMv6-compatible processor rev 7 (v6l)
BogoMIPS	: 697.95
Features	: half thumb fastmult vfp edsp java tls 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xb76
CPU revision	: 7

Hardware	: BCM2835
Revision	: 000e
pi@raspberrypi:~ $ sha256sum cloudflared
b3730fd14bc7306b09eafefcef10025aca3f2e94a6059952426a5341ab6e4045  cloudflared
pi@raspberrypi:~ $ file cloudflared
cloudflared: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=adf2825c51e543d9a36dea416573b70eeaa2ac8a, not stripped

issue in nodejs

everything seems to be working great for me with cloudflared and dns over https, except for one thing: suddenly my node applications are having problems resolving dns.

when attempting to fetch an object from amazon, i'm getting the following response:

error: Get https://s3-eu-west-1.amazonaws.com/...: dial tcp: lookup s3-eu-west-1.amazonaws.com on 127.0.0.1:53: read udp 127.0.0.1:60691->127.0.0.1:53: read: connection refused

Loglevel 'debug' shows too much information, and 'info' too little

The debug level for loglevel is extremely detailed for incoming requests. The next level info shows no incoming requests at all.

Often I want to just see all the URLS coming in, but not the headers and full 'cloudflare diagnostics'.

Would be great to get a log level that just showed incoming URLS and not all the request/response headers
This could be useful for both production and development workflows. I'm primarily using it for development and it's very helpful to see what's being requested.

macOS service failing to start with insufficient permisions

https://community.cloudflare.com/t/macos-dns-over-https-installation-error/15241

Even with using sudo cloudflared service install, it still fails to launch because of permissions.

--logfile option not compatible with --proxy-dns mode

When using proxy-dns mode logging only seems to go to stdout. Using logfile option doesn't redirect the logging, it only creates a log file with header that looks like it's intended for tunneling mode.

Cannot register tunnel

While doing some refactoring in a branch, I finally got it to a running state but now I have this error. I checked out the original branch (master) just to be sure, and the error still appears (I added a single print line to show the error message):

$ go build && ./cloudflare-warp --hostname my.hostname --hello-world --no-autoupdate
INFO[0000] Proxying tunnel requests to https://127.0.0.1:53287 
INFO[0000] Starting Hello World server at 127.0.0.1:53287 
INFO[0000] Starting metrics server                       addr="127.0.0.1:53288"
ERRO[0000] handle return: received return for unknown question id=0  subsystem=rpc-transport
INFO[0000] Connected to LAX                             
pogs: insert @0xc793e50592935b4a: can't insert into pogs.RegistrationOptions: pogs.RegistrationOptions has unknown field PoolName, maps to poolName
ERRO[0000] Cannot register                              
INFO[0000] Retrying in 1s seconds

Does this have something to do with an inconsistency between the client and the backend maybe? I actually have no idea.

yaml config not respecting dns-proxy-port value

I'm trying to configure dns proxying via YAML and it's not respecting the port value. This works fine if I pass in command line arguments for dns-proxy-address and dns-proxy-port but in YAML the port value is ignored.

given this yaml config:

proxy-dns: true
proxy-dns-port: 5053
proxy-dns-address: 0.0.0.0
proxy-dns-upstream:
 - https://1.1.1.1/dns-query
 - https://1.0.0.1/dns-query

I get this output:

INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yaml
INFO[0000] Adding DNS upstream url="https://1.1.1.1/dns-query"
INFO[0000] Adding DNS upstream url="https://1.0.0.1/dns-query"
INFO[0000] cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/argo-tunnel/reference/service/
INFO[0000] Starting DNS over HTTPS proxy server addr="dns://0.0.0.0:53"
FATA[0000] Cannot start the DNS over HTTPS proxy server error="failed to create a UDP listener: listen udp 0.0.0.0:53: bind: address already in use"

On the command line, no problems:

cloudflared proxy-dns --port 5053 --address 0.0.0.0 --upstream https://1.1.1.1/dns-query https://1.0.0.1/dns-query

INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yaml
INFO[0000] Adding DNS upstream                           url="https://1.1.1.1/dns-query"
INFO[0000] Starting DNS over HTTPS proxy server          addr="dns://0.0.0.0:5053"
INFO[0000] Starting metrics server                       addr="127.0.0.1:33759"

Cloudflared stops resolving DNS.

I am not sure how to diagnose the issue but hoping someone can help. Not overly sure if it is an issue with Clouflared.

I have successfully setup Cloudflared to act as a DNS server and using it with Pi-Hole. I have manually specified my DNS on a laptop and that works perfectly.

Unfortunately is I change my DNS in the router Cloudflared stops resolving DNS. I have double checked this by connecting using SSH and manually attempting a DNS query and nothing is returned. It stopped working immediately after changing the router to hand out the DNS server.

The steps taken to setup closely follow: https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/

	{
	Path: "/etc/systemd/system/cloudflared.service",
	Content: `[Unit]
	Description=Argo Tunnel
	After=network.target

	[Service]
	TimeoutStartSec=0
	Type=notify
	ExecStart={{ .Path }} --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --no-autoupdate
	Restart=on-failure
	RestartSec=5s

	[Install]
	WantedBy=multi-user.target
	`,
	},

	cmd="{{.Path}} --config /etc/cloudflare-warp/config.yml --origincert /etc/cloudflare-warp/cert.pem --pidfile /var/run/$name.pid --autoupdate-freq 24h0m0s"
	name=$(basename $(readlink -f $0))