Proposal: Support ingress rule matching for bastion mode

Makefile

@@ -109,7 +109,7 @@ ifneq ($(TARGET_ARM), )
 	ARM_COMMAND := GOARM=$(TARGET_ARM)
 endif
 
-ifeq ($(TARGET_ARM), 7) 
+ifeq ($(TARGET_ARM), 7)
 	PACKAGE_ARCH := armhf
 else
 	PACKAGE_ARCH := $(TARGET_ARCH)

carrier/carrier.go

@@ -16,13 +16,14 @@ import (
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 
+	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/token"
 )
 
 const (
 	LogFieldOriginURL       = "originURL"
 	CFAccessTokenHeader     = "Cf-Access-Token"
-	cfJumpDestinationHeader = "Cf-Access-Jump-Destination"
+	CFJumpDestinationHeader = "Cf-Access-Jump-Destination"
 )
 
 type StartOptions struct {
@@ -163,12 +164,16 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 
 func SetBastionDest(header http.Header, destination string) {
 	if destination != "" {
-		header.Set(cfJumpDestinationHeader, destination)
+		header.Set(CFJumpDestinationHeader, destination)
 	}
 }
 
-func ResolveBastionDest(r *http.Request) (string, error) {
-	jumpDestination := r.Header.Get(cfJumpDestinationHeader)
+func ResolveBastionDest(req *http.Request, bastionMode bool, service string) (string, error) {
+	jumpDestination := req.Header.Get(CFJumpDestinationHeader)
+	if bastionMode && service != config.BastionFlag {
+		jumpDestination = service
+	}
+
 	if jumpDestination == "" {
 		return "", fmt.Errorf("Did not receive final destination from client. The --destination flag is likely not set on the client side")
 	}

carrier/carrier_test.go

@@ -158,80 +158,110 @@ func testRequest(t *testing.T, url string, stream io.ReadWriter) *http.Request {
 }
 
 func TestBastionDestination(t *testing.T) {
+
 	tests := []struct {
 		name         string
 		header       http.Header
 		expectedDest string
 		wantErr      bool
+		bastionMode  bool
+		service      string
 	}{
 		{
 			name: "hostname destination",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"localhost"},
+				CFJumpDestinationHeader: []string{"localhost"},
 			},
 			expectedDest: "localhost",
 		},
 		{
 			name: "hostname destination with port",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"localhost:9000"},
+				CFJumpDestinationHeader: []string{"localhost:9000"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "hostname destination with scheme and port",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"ssh://localhost:9000"},
+				CFJumpDestinationHeader: []string{"ssh://localhost:9000"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "full hostname url",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"ssh://localhost:9000/metrics"},
+				CFJumpDestinationHeader: []string{"ssh://localhost:9000/metrics"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "hostname destination with port and path",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"localhost:9000/metrics"},
+				CFJumpDestinationHeader: []string{"localhost:9000/metrics"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "ip destination",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"127.0.0.1"},
+				CFJumpDestinationHeader: []string{"127.0.0.1"},
 			},
 			expectedDest: "127.0.0.1",
 		},
 		{
 			name: "ip destination with port",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"127.0.0.1:9000"},
+				CFJumpDestinationHeader: []string{"127.0.0.1:9000"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "ip destination with port and path",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
+				CFJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "ip destination with schem and port",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"tcp://127.0.0.1:9000"},
+				CFJumpDestinationHeader: []string{"tcp://127.0.0.1:9000"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "full ip url",
 			header: http.Header{
-				cfJumpDestinationHeader: []string{"ssh://127.0.0.1:9000/metrics"},
+				CFJumpDestinationHeader: []string{"ssh://127.0.0.1:9000/metrics"},
+			},
+			expectedDest: "127.0.0.1:9000",
+		},
+		{
+			name: "full ip url with bastion mode",
+			header: http.Header{
+				CFJumpDestinationHeader: []string{"ssh://127.0.0.1:9000/metrics"},
+			},
+			bastionMode:  true,
+			service:      "ssh://127.0.0.1:9002/metrics",
+			expectedDest: "127.0.0.1:9002",
+		},
+		{
+			name: "ip destination with port and path with bastion mode",
+			header: http.Header{
+				CFJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
+			},
+			bastionMode:  true,
+			service:      "127.0.0.1:9002/metrics",
+			expectedDest: "127.0.0.1:9002",
+		},
+		{
+			name: "ip destination with port and path without bastion mode",
+			header: http.Header{
+				CFJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
 			},
+			bastionMode:  false,
+			service:      "127.0.0.1:9002/metrics",
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
@@ -243,7 +273,7 @@ func TestBastionDestination(t *testing.T) {
 		r := &http.Request{
 			Header: test.header,
 		}
-		dest, err := ResolveBastionDest(r)
+		dest, err := ResolveBastionDest(r, test.bastionMode, test.service)
 		if test.wantErr {
 			assert.Error(t, err, "Test %s expects error", test.name)
 		} else {

cmd/cloudflared/tunnel/ingress_subcommands.go

@@ -138,7 +138,7 @@ func testURLCommand(c *cli.Context) error {
 		return errors.Wrap(err, "Validation failed")
 	}
 
-	_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)
+	_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path, "")
 	fmt.Printf("Matched rule #%d\n", i)
 	fmt.Println(ing.Rules[i].MultiLineString())
 	return nil

ingress/ingress.go

@@ -28,7 +28,6 @@ var (
 )
 
 const (
-	ServiceBastion     = "bastion"
 	ServiceSocksProxy  = "socks-proxy"
 	ServiceWarpRouting = "warp-routing"
 )
@@ -38,12 +37,13 @@ const (
 // which is the case if the rules were instantiated via the ingress#Validate method.
 //
 // Negative index rule signifies local cloudflared rules (not-user defined).
-func (ing Ingress) FindMatchingRule(hostname, path string) (*Rule, int) {
+func (ing Ingress) FindMatchingRule(hostname, path string, cfJumpDestinationHeader string) (*Rule, int) {
 	// The hostname might contain port. We only want to compare the host part with the rule
 	host, _, err := net.SplitHostPort(hostname)
 	if err == nil {
 		hostname = host
 	}
+	derivedHostName := hostname
 	for i, rule := range ing.InternalRules {
 		if rule.Matches(hostname, path) {
 			// Local rule matches return a negative rule index to distiguish local rules from user-defined rules in logs
@@ -52,7 +52,15 @@ func (ing Ingress) FindMatchingRule(hostname, path string) (*Rule, int) {
 		}
 	}
 	for i, rule := range ing.Rules {
-		if rule.Matches(hostname, path) {
+		// If bastion mode is turned on and request is made as bastion, attempt
+		// to match a rule where jump destination header matches the hostname
+		if rule.Config.BastionMode && len(cfJumpDestinationHeader) > 0 {
+			jumpDestinationUri, err := url.Parse(cfJumpDestinationHeader)
+			if err == nil {
+				derivedHostName = jumpDestinationUri.Hostname()
+			}
+		}
+		if rule.Matches(derivedHostName, path) {
 			return &rule, i
 		}
 	}
@@ -265,6 +273,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 			}
 			srv := newStatusCode(statusCode)
 			service = &srv
+
 		} else if r.Service == HelloWorldFlag || r.Service == HelloWorldService {
 			service = new(helloWorld)
 		} else if r.Service == ServiceSocksProxy {
@@ -284,12 +293,21 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 			}
 
 			service = newSocksProxyOverWSService(accessPolicy)
-		} else if r.Service == ServiceBastion || cfg.BastionMode {
+		} else if r.Service == config.BastionFlag || cfg.BastionMode {
 			// Bastion mode will always start a Websocket proxy server, which will
 			// overwrite the localService.URL field when `start` is called. So,
 			// leave the URL field empty for now.
 			cfg.BastionMode = true
-			service = newBastionService()
+
+			if cfg.BastionMode && r.Service != config.BastionFlag {
+				u, err := url.Parse(r.Service)
+				if err != nil {
+					return Ingress{}, err
+				}
+				service = newBastionServiceWithDest(u)
+			} else {
+				service = newBastionService()
+			}
 		} else {
 			// Validate URL services
 			u, err := url.Parse(r.Service)