Merge pull request #656 from nikr-canva/http2-origins

sssilver · web-flow · commit ee87c43eb955 · 2022-06-16T12:23:07.000-05:00
Add Http2Origin option to force HTTP/2 origin connections
diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go
@@ -837,6 +837,13 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			EnvVars: []string{"TUNNEL_NO_CHUNKED_ENCODING"},
 			Hidden:  shouldHide,
 		}),
+		altsrc.NewBoolFlag(&cli.BoolFlag{
+			Name:    ingress.Http2OriginFlag,
+			Usage:   "Enables HTTP/2 origin servers.",
+			EnvVars: []string{"TUNNEL_ORIGIN_ENABLE_HTTP2"},
+			Hidden:  shouldHide,
+			Value:   false,
+		}),
 	}
 	return append(flags, sshFlags(shouldHide)...)
 }
diff --git a/config/configuration.go b/config/configuration.go
@@ -227,6 +227,8 @@ type OriginRequestConfig struct {
 	ProxyType *string `yaml:"proxyType" json:"proxyType,omitempty"`
 	// IP rules for the proxy service
 	IPRules []IngressIPRule `yaml:"ipRules" json:"ipRules,omitempty"`
+	// Attempt to connect to origin with HTTP/2
+	Http2Origin *bool `yaml:"http2Origin" json:"http2Origin,omitempty"`
 }
 
 type IngressIPRule struct {
diff --git a/config/configuration_test.go b/config/configuration_test.go
@@ -144,7 +144,8 @@ var rawJsonConfig = []byte(`
 			"ports": [443, 4443],
 			"allow": true
 		}
-	]
+	],
+	"http2Origin": true
 }
 `)
 
@@ -191,6 +192,7 @@ func assertConfig(
 	assert.Equal(t, true, *config.NoTLSVerify)
 	assert.Equal(t, uint(9000), *config.ProxyPort)
 	assert.Equal(t, "socks", *config.ProxyType)
+	assert.Equal(t, true, *config.Http2Origin)
 
 	privateV4 := "10.0.0.0/8"
 	privateV6 := "fc00::/7"
diff --git a/ingress/config.go b/ingress/config.go
@@ -36,6 +36,7 @@ const (
 	NoChunkedEncodingFlag         = "no-chunked-encoding"
 	ProxyAddressFlag              = "proxy-address"
 	ProxyPortFlag                 = "proxy-port"
+	Http2OriginFlag               = "http2-origin"
 )
 
 const (
@@ -128,6 +129,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {
 	var proxyAddress = defaultProxyAddress
 	var proxyPort uint
 	var proxyType string
+	var http2Origin bool
 	if flag := ProxyConnectTimeoutFlag; c.IsSet(flag) {
 		connectTimeout = config.CustomDuration{Duration: c.Duration(flag)}
 	}
@@ -171,9 +173,13 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		proxyPort = uint(c.Int(flag))
 	}
+	if flag := Http2OriginFlag; c.IsSet(flag) {
+		http2Origin = c.Bool(flag)
+	}
 	if c.IsSet(Socks5Flag) {
 		proxyType = socksProxy
 	}
+
 	return OriginRequestConfig{
 		ConnectTimeout:         connectTimeout,
 		TLSTimeout:             tlsTimeout,
@@ -190,6 +196,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {
 		ProxyAddress:           proxyAddress,
 		ProxyPort:              proxyPort,
 		ProxyType:              proxyType,
+		Http2Origin:            http2Origin,
 	}
 }
 
@@ -255,6 +262,9 @@ func originRequestFromConfig(c config.OriginRequestConfig) OriginRequestConfig {
 			}
 		}
 	}
+	if c.Http2Origin != nil {
+		out.Http2Origin = *c.Http2Origin
+	}
 	return out
 }
 
@@ -298,6 +308,8 @@ type OriginRequestConfig struct {
 	ProxyType string `yaml:"proxyType" json:"proxyType"`
 	// IP rules for the proxy service
 	IPRules []ipaccess.Rule `yaml:"ipRules" json:"ipRules"`
+	// Attempt to connect to origin with HTTP/2
+	Http2Origin bool `yaml:"http2Origin" json:"http2Origin"`
 }
 
 func (defaults *OriginRequestConfig) setConnectTimeout(overrides config.OriginRequestConfig) {
@@ -403,6 +415,12 @@ func (defaults *OriginRequestConfig) setIPRules(overrides config.OriginRequestCo
 	}
 }
 
+func (defaults *OriginRequestConfig) setHttp2Origin(overrides config.OriginRequestConfig) {
+	if val := overrides.Http2Origin; val != nil {
+		defaults.Http2Origin = *val
+	}
+}
+
 // SetConfig gets config for the requests that cloudflared sends to origins.
 // Each field has a setter method which sets a value for the field by trying to find:
 //   1. The user config for this rule
@@ -428,6 +446,7 @@ func setConfig(defaults OriginRequestConfig, overrides config.OriginRequestConfi
 	cfg.setProxyAddress(overrides)
 	cfg.setProxyType(overrides)
 	cfg.setIPRules(overrides)
+	cfg.setHttp2Origin(overrides)
 	return cfg
 }
 
@@ -475,6 +494,7 @@ func ConvertToRawOriginConfig(c OriginRequestConfig) config.OriginRequestConfig
 		ProxyPort:              zeroUIntToNil(c.ProxyPort),
 		ProxyType:              emptyStringToNil(c.ProxyType),
 		IPRules:                convertToRawIPRules(c.IPRules),
+		Http2Origin:            defaultBoolToNil(c.Http2Origin),
 	}
 }
 
diff --git a/ingress/origin_service.go b/ingress/origin_service.go
@@ -290,6 +290,7 @@ func newHTTPTransport(service OriginService, cfg OriginRequestConfig, log *zerol
 		TLSHandshakeTimeout:   cfg.TLSTimeout.Duration,
 		ExpectContinueTimeout: 1 * time.Second,
 		TLSClientConfig:       &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: cfg.NoTLSVerify},
+		ForceAttemptHTTP2:     cfg.Http2Origin,
 	}
 	if _, isHelloWorld := service.(*helloWorld); !isHelloWorld && cfg.OriginServerName != "" {
 		httpTransport.TLSClientConfig.ServerName = cfg.OriginServerName
diff --git a/ingress/rule_test.go b/ingress/rule_test.go
@@ -182,25 +182,25 @@ func TestMarshalJSON(t *testing.T) {
 		{
 			name:     "Nil",
 			path:     nil,
-			expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null}}`,
+			expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false}}`,
 			want:     true,
 		},
 		{
 			name:     "Nil regex",
 			path:     &Regexp{Regexp: nil},
-			expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null}}`,
+			expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false}}`,
 			want:     true,
 		},
 		{
 			name:     "Empty",
 			path:     &Regexp{Regexp: regexp.MustCompile("")},
-			expected: `{"hostname":"example.com","path":"","service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null}}`,
+			expected: `{"hostname":"example.com","path":"","service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false}}`,
 			want:     true,
 		},
 		{
 			name:     "Basic",
 			path:     &Regexp{Regexp: regexp.MustCompile("/echo")},
-			expected: `{"hostname":"example.com","path":"/echo","service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null}}`,
+			expected: `{"hostname":"example.com","path":"/echo","service":"https://localhost:8000","originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false}}`,
 			want:     true,
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -837,6 +837,13 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {`
`837`	`837`	`EnvVars: []string{"TUNNEL_NO_CHUNKED_ENCODING"},`
`838`	`838`	`Hidden: shouldHide,`
`839`	`839`	`}),`
	`840`	`+ altsrc.NewBoolFlag(&cli.BoolFlag{`
	`841`	`+ Name: ingress.Http2OriginFlag,`
	`842`	`+ Usage: "Enables HTTP/2 origin servers.",`
	`843`	`+ EnvVars: []string{"TUNNEL_ORIGIN_ENABLE_HTTP2"},`
	`844`	`+ Hidden: shouldHide,`
	`845`	`+ Value: false,`
	`846`	`+ }),`
`840`	`847`	`}`
`841`	`848`	`return append(flags, sshFlags(shouldHide)...)`
`842`	`849`	`}`
Original file line number	Diff line number	Diff line change
`@@ -227,6 +227,8 @@ type OriginRequestConfig struct {`
`227`	`227`	ProxyType *string `yaml:"proxyType" json:"proxyType,omitempty"`
`228`	`228`	`// IP rules for the proxy service`
`229`	`229`	IPRules []IngressIPRule `yaml:"ipRules" json:"ipRules,omitempty"`
	`230`	`+ // Attempt to connect to origin with HTTP/2`
	`231`	+ Http2Origin *bool `yaml:"http2Origin" json:"http2Origin,omitempty"`
`230`	`232`	`}`
`231`	`233`
`232`	`234`	`type IngressIPRule struct {`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ const (`
`36`	`36`	`NoChunkedEncodingFlag = "no-chunked-encoding"`
`37`	`37`	`ProxyAddressFlag = "proxy-address"`
`38`	`38`	`ProxyPortFlag = "proxy-port"`
	`39`	`+ Http2OriginFlag = "http2-origin"`
`39`	`40`	`)`
`40`	`41`
`41`	`42`	`const (`
`@@ -128,6 +129,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {`
`128`	`129`	`var proxyAddress = defaultProxyAddress`
`129`	`130`	`var proxyPort uint`
`130`	`131`	`var proxyType string`
	`132`	`+ var http2Origin bool`
`131`	`133`	`if flag := ProxyConnectTimeoutFlag; c.IsSet(flag) {`
`132`	`134`	`connectTimeout = config.CustomDuration{Duration: c.Duration(flag)}`
`133`	`135`	`}`
`@@ -171,9 +173,13 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {`
`171`	`173`	`// Note TUN-3758 , we use Int because UInt is not supported with altsrc`
`172`	`174`	`proxyPort = uint(c.Int(flag))`
`173`	`175`	`}`
	`176`	`+ if flag := Http2OriginFlag; c.IsSet(flag) {`
	`177`	`+ http2Origin = c.Bool(flag)`
	`178`	`+ }`
`174`	`179`	`if c.IsSet(Socks5Flag) {`
`175`	`180`	`proxyType = socksProxy`
`176`	`181`	`}`
	`182`	`+`
`177`	`183`	`return OriginRequestConfig{`
`178`	`184`	`ConnectTimeout: connectTimeout,`
`179`	`185`	`TLSTimeout: tlsTimeout,`
`@@ -190,6 +196,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {`
`190`	`196`	`ProxyAddress: proxyAddress,`
`191`	`197`	`ProxyPort: proxyPort,`
`192`	`198`	`ProxyType: proxyType,`
	`199`	`+ Http2Origin: http2Origin,`
`193`	`200`	`}`
`194`	`201`	`}`
`195`	`202`
`@@ -255,6 +262,9 @@ func originRequestFromConfig(c config.OriginRequestConfig) OriginRequestConfig {`
`255`	`262`	`}`
`256`	`263`	`}`
`257`	`264`	`}`
	`265`	`+ if c.Http2Origin != nil {`
	`266`	`+ out.Http2Origin = *c.Http2Origin`
	`267`	`+ }`
`258`	`268`	`return out`
`259`	`269`	`}`
`260`	`270`
`@@ -298,6 +308,8 @@ type OriginRequestConfig struct {`
`298`	`308`	ProxyType string `yaml:"proxyType" json:"proxyType"`
`299`	`309`	`// IP rules for the proxy service`
`300`	`310`	IPRules []ipaccess.Rule `yaml:"ipRules" json:"ipRules"`
	`311`	`+ // Attempt to connect to origin with HTTP/2`
	`312`	+ Http2Origin bool `yaml:"http2Origin" json:"http2Origin"`
`301`	`313`	`}`
`302`	`314`
`303`	`315`	`func (defaults *OriginRequestConfig) setConnectTimeout(overrides config.OriginRequestConfig) {`
`@@ -403,6 +415,12 @@ func (defaults *OriginRequestConfig) setIPRules(overrides config.OriginRequestCo`
`403`	`415`	`}`
`404`	`416`	`}`
`405`	`417`
	`418`	`+func (defaults *OriginRequestConfig) setHttp2Origin(overrides config.OriginRequestConfig) {`
	`419`	`+ if val := overrides.Http2Origin; val != nil {`
	`420`	`+ defaults.Http2Origin = *val`
	`421`	`+ }`
	`422`	`+}`
	`423`	`+`
`406`	`424`	`// SetConfig gets config for the requests that cloudflared sends to origins.`
`407`	`425`	`// Each field has a setter method which sets a value for the field by trying to find:`
`408`	`426`	`// 1. The user config for this rule`
`@@ -428,6 +446,7 @@ func setConfig(defaults OriginRequestConfig, overrides config.OriginRequestConfi`
`428`	`446`	`cfg.setProxyAddress(overrides)`
`429`	`447`	`cfg.setProxyType(overrides)`
`430`	`448`	`cfg.setIPRules(overrides)`
	`449`	`+ cfg.setHttp2Origin(overrides)`
`431`	`450`	`return cfg`
`432`	`451`	`}`
`433`	`452`
`@@ -475,6 +494,7 @@ func ConvertToRawOriginConfig(c OriginRequestConfig) config.OriginRequestConfig`
`475`	`494`	`ProxyPort: zeroUIntToNil(c.ProxyPort),`
`476`	`495`	`ProxyType: emptyStringToNil(c.ProxyType),`
`477`	`496`	`IPRules: convertToRawIPRules(c.IPRules),`
	`497`	`+ Http2Origin: defaultBoolToNil(c.Http2Origin),`
`478`	`498`	`}`
`479`	`499`	`}`
`480`	`500`
Original file line number	Diff line number	Diff line change
`@@ -290,6 +290,7 @@ func newHTTPTransport(service OriginService, cfg OriginRequestConfig, log *zerol`
`290`	`290`	`TLSHandshakeTimeout: cfg.TLSTimeout.Duration,`
`291`	`291`	`ExpectContinueTimeout: 1 * time.Second,`
`292`	`292`	`TLSClientConfig: &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: cfg.NoTLSVerify},`
	`293`	`+ ForceAttemptHTTP2: cfg.Http2Origin,`
`293`	`294`	`}`
`294`	`295`	`if _, isHelloWorld := service.(*helloWorld); !isHelloWorld && cfg.OriginServerName != "" {`
`295`	`296`	`httpTransport.TLSClientConfig.ServerName = cfg.OriginServerName`