TUN-7065: Remove classic tunnel creation

Author: DevinCarr

cmd/cloudflared/main.go

@@ -155,8 +155,6 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
 		if isEmptyInvocation(c) {
 			return handleServiceMode(c, graceShutdownC)
 		}
-		tags := make(map[string]string)
-		tags["hostname"] = c.String("hostname")
 		func() {
 			defer sentry.Recover()
 			err = tunnel.TunnelCommand(c)

cmd/cloudflared/tunnel/cmd.go

@@ -100,6 +100,7 @@ var (
 	routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
 		"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
 		"any existing DNS records for this hostname.", overwriteDNSFlag)
+	deprecatedClassicTunnelErr = fmt.Errorf("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
 )
 
 func Flags() []cli.Flag {
@@ -182,17 +183,17 @@ func TunnelCommand(c *cli.Context) error {
 
 	// Unauthenticated named tunnel on <random>.<quick-tunnels-service>.com
 	shouldRunQuickTunnel := c.IsSet("url") || c.IsSet("hello-world")
-	if !dnsProxyStandAlone(c, nil) && c.String("hostname") == "" && c.String("quick-service") != "" && shouldRunQuickTunnel {
+	if !dnsProxyStandAlone(c, nil) && c.String("quick-service") != "" && shouldRunQuickTunnel {
 		return RunQuickTunnel(sc)
 	}
 
 	if ref := config.GetConfiguration().TunnelID; ref != "" {
 		return fmt.Errorf("Use `cloudflared tunnel run` to start tunnel %s", ref)
 	}
 
-	// Start a classic tunnel if hostname is specified.
+	// classic tunnel usage is no longer supported
 	if c.String("hostname") != "" {
-		return runClassicTunnel(sc)
+		return deprecatedClassicTunnelErr
 	}
 
 	if c.IsSet("proxy-dns") {
@@ -237,11 +238,6 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
 	return nil
 }
 
-// runClassicTunnel creates a "classic" non-named tunnel
-func runClassicTunnel(sc *subcommandContext) error {
-	return StartServer(sc.c, buildInfo, nil, sc.log)
-}
-
 func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 	if hostname := c.String("hostname"); hostname != "" {
 		if lbPool := c.String("lb-pool"); lbPool != "" {
@@ -350,14 +346,6 @@ func StartServer(
 		return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
 	}
 
-	url := c.String("url")
-	hostname := c.String("hostname")
-	if url == hostname && url != "" && hostname != "" {
-		errText := "hostname and url shouldn't match. See --help for more information"
-		log.Error().Msg(errText)
-		return fmt.Errorf(errText)
-	}
-
 	logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
 
 	observer := connection.NewObserver(log, logTransport)

cmd/cloudflared/tunnel/configuration.go

@@ -32,7 +32,6 @@ import (
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
-	"github.com/cloudflare/cloudflared/validation"
 )
 
 const LogFieldOriginCertPath = "originCertPath"
@@ -43,8 +42,6 @@ var (
 	serviceUrl      = developerPortal + "/reference/service/"
 	argumentsUrl    = developerPortal + "/reference/arguments/"
 
-	LogFieldHostname = "hostname"
-
 	secretFlags     = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
 	defaultFeatures = []string{supervisor.FeatureAllowRemoteConfig, supervisor.FeatureSerializedHeaders, supervisor.FeatureDatagramV2, supervisor.FeatureQUICSupportEOF}
 
@@ -127,7 +124,7 @@ func isSecretEnvVar(key string) bool {
 }
 
 func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelProperties) bool {
-	return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world") && namedTunnel == nil)
+	return c.IsSet("proxy-dns") && (!c.IsSet("tag") && !c.IsSet("hello-world") && namedTunnel == nil)
 }
 
 func findOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {
@@ -193,37 +190,19 @@ func prepareTunnelConfig(
 	observer *connection.Observer,
 	namedTunnel *connection.NamedTunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
-	isNamedTunnel := namedTunnel != nil
-
-	configHostname := c.String("hostname")
-	hostname, err := validation.ValidateHostname(configHostname)
+	clientID, err := uuid.NewRandom()
 	if err != nil {
-		log.Err(err).Str(LogFieldHostname, configHostname).Msg("Invalid hostname")
-		return nil, nil, errors.Wrap(err, "Invalid hostname")
-	}
-	clientID := c.String("id")
-	if !c.IsSet("id") {
-		clientID, err = generateRandomClientID(log)
-		if err != nil {
-			return nil, nil, err
-		}
+		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
 	}
-
+	log.Info().Msgf("Generated Connector ID: %s", clientID)
 	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
 		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
-
-	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID})
-
-	var (
-		ingressRules  ingress.Ingress
-		classicTunnel *connection.ClassicTunnelProperties
-	)
+	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID.String()})
 
 	transportProtocol := c.String("protocol")
-
 	needPQ := c.Bool("post-quantum")
 	if needPQ {
 		if FipsEnabled {
@@ -238,79 +217,52 @@ func prepareTunnelConfig(
 
 	protocolFetcher := edgediscovery.ProtocolPercentage
 
-	cfg := config.GetConfiguration()
-	if isNamedTunnel {
-		clientUUID, err := uuid.NewRandom()
-		if err != nil {
-			return nil, nil, errors.Wrap(err, "can't generate connector UUID")
-		}
-		log.Info().Msgf("Generated Connector ID: %s", clientUUID)
-		features := append(c.StringSlice("features"), defaultFeatures...)
-		if needPQ {
-			features = append(features, supervisor.FeaturePostQuantum)
-		}
-		if c.IsSet(TunnelTokenFlag) {
-			if transportProtocol == connection.AutoSelectFlag {
-				protocolFetcher = func() (edgediscovery.ProtocolPercents, error) {
-					// If the Tunnel is remotely managed and no protocol is set, we prefer QUIC, but still allow fall-back.
-					preferQuic := []edgediscovery.ProtocolPercent{
-						{
-							Protocol:   connection.QUIC.String(),
-							Percentage: 100,
-						},
-						{
-							Protocol:   connection.HTTP2.String(),
-							Percentage: 100,
-						},
-					}
-					return preferQuic, nil
+	features := append(c.StringSlice("features"), defaultFeatures...)
+	if needPQ {
+		features = append(features, supervisor.FeaturePostQuantum)
+	}
+	if c.IsSet(TunnelTokenFlag) {
+		if transportProtocol == connection.AutoSelectFlag {
+			protocolFetcher = func() (edgediscovery.ProtocolPercents, error) {
+				// If the Tunnel is remotely managed and no protocol is set, we prefer QUIC, but still allow fall-back.
+				preferQuic := []edgediscovery.ProtocolPercent{
+					{
+						Protocol:   connection.QUIC.String(),
+						Percentage: 100,
+					},
+					{
+						Protocol:   connection.HTTP2.String(),
+						Percentage: 100,
+					},
 				}
+				return preferQuic, nil
 			}
-			log.Info().Msg("Will be fetching remotely managed configuration from Cloudflare API. Defaulting to protocol: quic")
-		}
-		namedTunnel.Client = tunnelpogs.ClientInfo{
-			ClientID: clientUUID[:],
-			Features: dedup(features),
-			Version:  info.Version(),
-			Arch:     info.OSArch(),
-		}
-		ingressRules, err = ingress.ParseIngress(cfg)
-		if err != nil && err != ingress.ErrNoIngressRules {
-			return nil, nil, err
-		}
-		if !ingressRules.IsEmpty() && c.IsSet("url") {
-			return nil, nil, ingress.ErrURLIncompatibleWithIngress
-		}
-	} else {
-
-		originCertPath := c.String("origincert")
-		originCertLog := log.With().
-			Str(LogFieldOriginCertPath, originCertPath).
-			Logger()
-
-		originCert, err := getOriginCert(originCertPath, &originCertLog)
-		if err != nil {
-			return nil, nil, errors.Wrap(err, "Error getting origin cert")
-		}
-
-		classicTunnel = &connection.ClassicTunnelProperties{
-			Hostname:   hostname,
-			OriginCert: originCert,
-			// turn off use of reconnect token and auth refresh when using named tunnels
-			UseReconnectToken: !isNamedTunnel && c.Bool("use-reconnect-token"),
 		}
+		log.Info().Msg("Will be fetching remotely managed configuration from Cloudflare API. Defaulting to protocol: quic")
 	}
-
-	// Convert single-origin configuration into multi-origin configuration.
-	if ingressRules.IsEmpty() {
-		ingressRules, err = ingress.NewSingleOrigin(c, !isNamedTunnel)
+	namedTunnel.Client = tunnelpogs.ClientInfo{
+		ClientID: clientID[:],
+		Features: dedup(features),
+		Version:  info.Version(),
+		Arch:     info.OSArch(),
+	}
+	cfg := config.GetConfiguration()
+	ingressRules, err := ingress.ParseIngress(cfg)
+	if err != nil && err != ingress.ErrNoIngressRules {
+		return nil, nil, err
+	}
+	// Only for quick tunnels will we attempt to parse the --url flag for a tunnel ingress rule
+	if ingressRules.IsEmpty() && c.IsSet("url") && namedTunnel.QuickTunnelUrl != "" {
+		ingressRules, err = ingress.NewSingleOrigin(c, true)
 		if err != nil {
 			return nil, nil, err
 		}
 	}
+	if ingressRules.IsEmpty() {
+		return nil, nil, ingress.ErrNoIngressRules
+	}
 
-	warpRoutingEnabled := isWarpRoutingEnabled(cfg.WarpRouting, isNamedTunnel)
-	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, warpRoutingEnabled, namedTunnel, protocolFetcher, supervisor.ResolveTTL, log, c.Bool("post-quantum"))
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, cfg.WarpRouting.Enabled, namedTunnel, protocolFetcher, supervisor.ResolveTTL, log, c.Bool("post-quantum"))
 	if err != nil {
 		return nil, nil, err
 	}
@@ -362,7 +314,7 @@ func prepareTunnelConfig(
 		GracePeriod:     gracePeriod,
 		ReplaceExisting: c.Bool("force"),
 		OSArch:          info.OSArch(),
-		ClientID:        clientID,
+		ClientID:        clientID.String(),
 		EdgeAddrs:       c.StringSlice("edge"),
 		Region:          c.String("region"),
 		EdgeIPVersion:   edgeIPVersion,
@@ -379,7 +331,6 @@ func prepareTunnelConfig(
 		Retries:            uint(c.Int("retries")),
 		RunFromTerminal:    isRunningFromTerminal(),
 		NamedTunnel:        namedTunnel,
-		ClassicTunnel:      classicTunnel,
 		MuxerConfig:        muxerConfig,
 		ProtocolSelector:   protocolSelector,
 		EdgeTLSConfigs:     edgeTLSConfigs,
@@ -421,10 +372,6 @@ func gracePeriod(c *cli.Context) (time.Duration, error) {
 	return period, nil
 }
 
-func isWarpRoutingEnabled(warpConfig config.WarpRoutingConfig, isNamedTunnel bool) bool {
-	return warpConfig.Enabled && isNamedTunnel
-}
-
 func isRunningFromTerminal() bool {
 	return terminal.IsTerminal(int(os.Stdout.Fd()))
 }

component-tests/test_proxy_dns.py

@@ -12,18 +12,12 @@ class TestProxyDns:
     def test_proxy_dns_with_named_tunnel(self, tmp_path, component_tests_config):
         run_test_scenario(tmp_path, component_tests_config, CfdModes.NAMED, run_proxy_dns=True)
 
-    def test_proxy_dns_with_classic_tunnel(self, tmp_path, component_tests_config):
-        run_test_scenario(tmp_path, component_tests_config, CfdModes.CLASSIC, run_proxy_dns=True)
-
     def test_proxy_dns_alone(self, tmp_path, component_tests_config):
         run_test_scenario(tmp_path, component_tests_config, CfdModes.PROXY_DNS, run_proxy_dns=True)
 
     def test_named_tunnel_alone(self, tmp_path, component_tests_config):
         run_test_scenario(tmp_path, component_tests_config, CfdModes.NAMED, run_proxy_dns=False)
 
-    def test_classic_tunnel_alone(self, tmp_path, component_tests_config):
-        run_test_scenario(tmp_path, component_tests_config, CfdModes.CLASSIC, run_proxy_dns=False)
-
 
 def run_test_scenario(tmp_path, component_tests_config, cfd_mode, run_proxy_dns):
     expect_proxy_dns = run_proxy_dns
@@ -33,10 +27,6 @@ def run_test_scenario(tmp_path, component_tests_config, cfd_mode, run_proxy_dns)
         expect_tunnel = True
         pre_args = ["tunnel"]
         args = ["run"]
-    elif cfd_mode == CfdModes.CLASSIC:
-        expect_tunnel = True
-        pre_args = []
-        args = []
     elif cfd_mode == CfdModes.PROXY_DNS:
         expect_proxy_dns = True
         pre_args = []

component-tests/test_reconnect.py

@@ -33,13 +33,6 @@ def test_named_reconnect(self, tmp_path, component_tests_config, protocol):
             # Repeat the test multiple times because some issues only occur after multiple reconnects
             self.assert_reconnect(config, cloudflared, 5)
 
-    def test_classic_reconnect(self, tmp_path, component_tests_config):
-        extra_config = copy.copy(self.extra_config)
-        extra_config["hello-world"] = True
-        config = component_tests_config(additional_config=extra_config, cfd_mode=CfdModes.CLASSIC)
-        with start_cloudflared(tmp_path, config, cfd_args=[], new_process=True, allow_input=True, capture_output=False) as cloudflared:
-            self.assert_reconnect(config, cloudflared, 1)
-
     def send_reconnect(self, cloudflared, secs):
         # Although it is recommended to use the Popen.communicate method, we cannot
         # use it because it blocks on reading stdout and stderr until EOF is reached

connection/h2mux.go

@@ -123,46 +123,6 @@ func (h *h2muxConnection) ServeNamedTunnel(ctx context.Context, namedTunnel *Nam
 	return err
 }
 
-func (h *h2muxConnection) ServeClassicTunnel(ctx context.Context, classicTunnel *ClassicTunnelProperties, credentialManager CredentialManager, registrationOptions *tunnelpogs.RegistrationOptions, connectedFuse ConnectedFuse) error {
-	errGroup, serveCtx := errgroup.WithContext(ctx)
-	errGroup.Go(func() error {
-		return h.serveMuxer(serveCtx)
-	})
-
-	errGroup.Go(func() (err error) {
-		defer func() {
-			if err == nil {
-				connectedFuse.Connected()
-			}
-		}()
-		if classicTunnel.UseReconnectToken && connectedFuse.IsConnected() {
-			err := h.reconnectTunnel(ctx, credentialManager, classicTunnel, registrationOptions)
-			if err == nil {
-				return nil
-			}
-			// log errors and proceed to RegisterTunnel
-			h.observer.log.Err(err).
-				Uint8(LogFieldConnIndex, h.connIndex).
-				Msg("Couldn't reconnect connection. Re-registering it instead.")
-		}
-		return h.registerTunnel(ctx, credentialManager, classicTunnel, registrationOptions)
-	})
-
-	errGroup.Go(func() error {
-		h.controlLoop(serveCtx, connectedFuse, false)
-		return nil
-	})
-
-	err := errGroup.Wait()
-	if err == errMuxerStopped {
-		if h.stoppedGracefully {
-			return nil
-		}
-		h.observer.log.Info().Uint8(LogFieldConnIndex, h.connIndex).Msg("Unexpected muxer shutdown")
-	}
-	return err
-}
-
 func (h *h2muxConnection) serveMuxer(ctx context.Context) error {
 	// All routines should stop when muxer finish serving. When muxer is shutdown
 	// gracefully, it doesn't return an error, so we need to return errMuxerShutdown

ingress/ingress.go

@@ -71,9 +71,8 @@ type Ingress struct {
 }
 
 // NewSingleOrigin constructs an Ingress set with only one rule, constructed from
-// legacy CLI parameters like --url or --no-chunked-encoding.
+// CLI parameters for quick tunnels like --url or --no-chunked-encoding.
 func NewSingleOrigin(c *cli.Context, allowURLFromArgs bool) (Ingress, error) {
-
 	service, err := parseSingleOriginService(c, allowURLFromArgs)
 	if err != nil {
 		return Ingress{}, err